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Abstract 

To  provide  reliable,  accurate,  and  timely  wireless  network  security,  this  work 
introduces  a  Generalized  Relevance  Learning  Vector  Quantized  Improved  (GRLVQI) 
classification  process  and  extends  applicability  of  RF  “Distinct  Native  Attribute” 
(RF-DNA)  fingerprinting  for  device  classification  (a  one-to-many  looks  “most  like” 
assessment)  and  device  identity  verification  (a  one-to-one  looks  “how  much  like”  as¬ 
sessment).  Transition  to  the  GRLVQI  process  was  motivated  by  earlier  RF-DNA  fin¬ 
gerprinting  work  that  used  a  Multiple  Discriminant  Analysis/Maximum  Likelihood 
(MDA/ML)  classification  process.  Although  successful,  the  earlier  MDA/ML  works 
are  inherently  limited  in  that  they  provide  no  capability  for  determining  which  RF- 
DNA  features  are  most  important  to  classification  or  identification-GRLVQI  inher¬ 
ently  provides  a  feature  relevance  indication  and  overcomes  this  limitation. 

GRLVQI  feature  relevance  ranking  is  exploited  here  to  enable  Dimensional  Re¬ 
duction  Analysis  (DRA)  and  enhance  the  experimental-to-operational  transition  po¬ 
tential  of  RF-DNA  fingerprinting,  i.e. ,  identify  the  minimum  number  of  required  RF- 
DNA  features  to  achieve  desired  classification  and  verification  performance.  This  is 
done  using  RF-DNA  features  extracted  from  2D  (time- frequency)  Gabor  Transform 
(GT)  responses  of  experimentally  collected  emissions  from  Orthogonal  Frequency  Di¬ 
vision  Multiplexing  (OFDM)  based  802.16  Worldwide  Interoperability  for  Microwave 
Access  (WiMAX)  and  802.11  WiFi  devices.  Performance  using  2D  GT-based  RF- 
DNA  features  proves  superior  relative  to  demonstrations  using  ID  Time  Domain 
(TD),  ID  Spectral  Domain  (SD)  and  2D  Dual-Tree  Complex  Wavelet  Transform  (DT- 
CWT)  features. 

Using  GT-based  RF-DNA  fingerprints  and  the  GRLVQI  classifier,  demonstra¬ 
tions  here  include  average  classification  accuracy  of  %C>90%  using  1)  204  full  di¬ 
mensional  features  from  WiMAX  emissions  at  SNR>  10.0  dB,  and  2)  363  full  dimen- 


IV 


sional  features  from  WiFi  emissions  at  SNR>  12.0  dB.  Performance  with  DRA^90% 
dimensionally-reduced  feature  sets  (top  ranked  10%  of  the  most  relevant  features  re¬ 
tained)  included  %C>90%  using  only  1)  20  of  204  WiMAX  features  at  SNR>  12.0  dB 
and  2)  36  of  363  WiFi  features  at  SNR>13.0  dB.  Collectively,  this  corresponds  to 
a  1.0  to  2.0  dB  trade-off  in  required  SNR  to  achieve  a  given  %C  with  an  apprecia¬ 
ble  reduction  in  required  computational  resources.  For  device  ID  verification  using 
the  same  DRA^  90%  GT-based  RF-DNA  fingerprints,  GRLVQI  effectively  enabled: 
1)  100%  ID  verification  of  all  six  authorized  WiMAX  devices  while  detecting  97% 
(35  of  36  attempts)  of  spoofing  attacks  by  unauthorized  rogue  WiMAX  devices  at 
SNR=18.0  dB,  and  2)  100%  ID  verification  of  all  four  authorized  WiFi  devices  at 
SNR=15.0  dB;  rogue  WiFi  device  detection  was  not  assessed  due  to  available  data 
limitations  and  remains  an  area  of  interest  for  future  research. 
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Exploitation  of  RF-DNA  for  Device 
Classification  and  Verification 
Using  GRLVQI  Processing 


I.  Introduction 


His  chapter  introduces  the  dissertation  research  and  its  documentation.  The 


_L  operational  and  technical  motivation  for  conducting  the  research  is  provided 
in  Section  1.1  and  Section  1.2,  respectively.  Section  1.2  contains  three  subsections, 
including  a  summary  of  related  work  in  RF  fingerprinting  in  Section  1.2.1,  device 


classification  in  Section  1.2.2,  and  device  ID  verification  in  Section  1.2.3.  A  relational 


mapping  between  prior  related  research  and  research  contributions  of  this  disserta¬ 
tion  is  provided  in  Section  1.3,  followed  by  a  document  organization  overview  in 
Section  1.4. 

1.1  Operational  Motivation 

Historically,  opportunistic  “hackers”  have  routinely  gained  unauthorized  access 
to  wireless  networks  and  their  malicious  activities  are  expected  to  continue  as  new 
technologies  emerge  [10,11,15].  Given  the  ubiquity  of  Orthogonal  Frequency  Division 
Multiplexing  (OFDM)  and  Institute  of  Electrical  and  Electronics  Engineers  (IEEE) 
standards  governing  the  following  operations, 

1.  IEEE  802.11a/g  Wireless  Fidelity  (WiFi)  operation  [51], 

2.  IEEE  802.16  Worldwide  Interoperability  for  Microwave  Access  (WiMAX)  oper¬ 
ation  [50,52],  and 

3.  3rd  Generation  Partnership  Project  (3GPP)  Long  Term  Evolution  (LTE)  oper¬ 
ation  [4,5], 

the  threat  of  unauthorized  network  access  remains  a  concern  for  OFDM-based  wireless 
networks.  This  is  especially  true  when  considering  that  WiFi,  WiMAX  and  LTE 
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networks  commonly  provide  user  access  through  Wireless  Access  Points  (WAP)-one 
of  the  top  10  Information  Technology  (IT)  security  threats  [2], 

The  concern  is  even  greater  when  considering  applications  in  which  these  net¬ 
works  form  critical  links  in  an  overall  system  architecture.  Some  architectures  in 
which  OFDM-based  wireless  networks  are  deployed,  or  being  considered  for  deploy¬ 
ment,  include: 

1.  Home  area  WiFi  and  neighborhood  area  WiMAX  networks  in  support  of  Smart 
Grid  maintenance  and  operation  [61,91]. 

2.  Cloud  computing  connectivity  to  facilitate  user  access  to  data  anywhere  at  any¬ 
time  [28] .  In  cloud-connected  wireless  networks  the  end  users  surrender  protec¬ 
tive  custody  of  their  data;  therefore,  it  is  imperative  that  only  authorized  users 
be  granted  access.  This  is  even  more  critical  when  considering  the  potential 
number  of  peripherally  connected  subnetworks  operating  at  or  near  the  “edge” 
of  a  larger  cloud  infrastructure. 

3.  Industrial  Control  System  (ICS),  Supervisory  Control  And  Data  Acquisition 
(SCADA),  Energy  Management  System  (EMS),  and  other  critical  infrastruc¬ 
ture  elements.  The  backbone  and/or  backhaul  communication  for  these  type  of 
systems  is  commonly  based  on  the  IEEE  WiMAX  standards  and  their  security 
is  paramount  to  national  security  [61,80]. 

4.  Other  public  safety  applications  such  as  the  WiMAX-based  AeroMAX  network 
being  developed  by  the  Federal  Aviation  Administration  (FAA),  Eurocontrol, 
and  International  Civilian  Aviation  Organization  (ICAO)  to  support  next  gen¬ 
eration  airport  communication  services  [32,37]. 

Services  provided  within  wireless  networks  are  characterized  and  standardized 
by  the  Open  Systems  Interconnection  (OSI)  model  that  is  comprised  of  seven  layers  as 
shown  in  Fig.  1.1.  Security  and  detection  of  unauthorized  users  has  been  traditionally 
addressed  within  higher  “bit-level”  layers  of  the  OSI  model,  e.g.,  Network  (NWK)  and 
Data  Link  (DLL)  layers.  This  includes  a  considerable  amount  of  research  conducted 
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Figure  1.1:  Multi-layer  Open  Systems  Interconnect  (OSI)  network  model  [1,3]. 


on  bit-level  security  mechanisms  to  detect  and/or  mitigate  unauthorized  network 
access  [17,60,65,78,85,96].  By  design,  these  higher  layer  bit-level  security  approaches 
inherently  ignore  the  Physical  (PHY)  layer  -the  WAP  “doorway”  through  which  a 
majority  of  malicious  activity  occurs.  Neglecting  the  PHY  layer  fails  to  leverage 
potentially  useful  information  contained  within  wireless  network  Radio  Frequency 
(RF)  emissions. 

RF  fingerprinting  is  one  method  that  leverages  potentially  discriminating  PHY 
layer  information  by  exploiting  unique  features  that  are  1)  unintentionally  imparted 
on  RF  emissions  by  hardware  components  comprising  the  wireless  device,  and  2)  dif¬ 
ficult  for  unauthorized  users  to  mimic  and  replicate.  RF  fingerprints  facilitate  dis¬ 
crimination  between  multiple  devices,  establishment  of  a  device’s  identity  (ID),  and 
mitigation  of  unauthorized  network  access.  This  research  investigates  the  exploita¬ 
tion  of  PHY  layer  attributes  (i.e. ,  RF  fingerprints)  as  a  means  for  augmenting  bit-level 
security  mechanisms  to  1)  improve  authorized  user  verification,  and  2)  increase  de¬ 
tection  of  unauthorized  devices  attempting  to  gain  network  access.  Previous  research 
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has  shown  that  PHY  layer  attributes  can  be  useful  in  the  identification  of  wireless 
devices  and  provide  a  means  of  augmenting  current  bit-level  network  security  mech¬ 
anisms.  Section  1.2  provides  a  summary  of  previously  investigated  RF  fingerprinting 
techniques  that  utilize  PHY  layer  attributes  to  accomplish  this  goal. 

1 . 2  Technical  Motivation 

A  considerable  amount  of  research  has  been  conducted  in  the  area  of  RF  fin¬ 
gerprinting  over  the  past  two  decades  [23-25,  27,  31,  33,  36,  38-41,  44,  45,  47,  49,  54, 
56-58,67,71-76,81,84,86,88,89,93-95].  These  works  have  predominalty  investi¬ 
gated  the  use  of  RF  fingerprints  for  device  classification  (a  one-to-many  looks  “most 
like”  assessment)  using  various  wireless  communication  devices,  including:  IEEE 
802.11  WiFi  [44,45,47,54,56,57,67,73,81,84],  Global  System  for  Mobile  Commu¬ 
nications  (GSM)  cellular  phones  [75,93],  IEEE  802.16  WiMAX  [71-73,76,94],  IEEE 
802.15  Bluetooth  [40],  and  Radio  Frequency  Identification  (RFID)  [23,95].  The  work 
in  [44,45,47,56-58,71-73,76,81,93,94]  focused  on  inherent  PHY  layer  benefits  that 
leverage  RF  ‘Distinct  Native  Attributes’  (RF-DNA)  extracted  from  specific  portions 
of  modulated  signal  responses  to  achieve  serial  number  discrimination.  In  this  context, 
RF-DNA  attributes  are  1)  sufficiently  “distinct”  to  facilitate  persistent  cross-device 
discrimination  and  2)  “native”  in  that  variations  due  to  hardware  implementation, 
component  type,  manufacturing  processes  and/or  environmental  interactions  impart 
unintentional  “coloration”  upon  the  modulated  waveform  that  enable  device  discrim¬ 
ination. 

1.2.1  RF  Fingerprinting.  While  a  considerable  body  of  knowledge  has  been 
established  within  the  area  of  RF-DNA  fingerprinting,  there  remained  a  need  at  the 
onset  of  this  research  to  improve  the  experimcntal-to-operational  transition  potential 
of  RF-DNA  fingerprinting  and  facilitate  successful  fielding  of  a  system  to  provide  reli¬ 
able  and  robust  PHY  layer  security  augmentation.  The  envisioned  network  addition, 
designated  here  as  an  RF  “Air  Monitor”,  must  be  able  to  discriminate  between  1)  de- 
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vices  from  different  manufacturers  (inter-manufacturer  discrimination),  2)  dissimilar 
model  devices  from  the  same  manufacturer  (intra- manufacturer  discrimination),  and 
3)  like  model  devices  from  the  same  manufacturer  (intra-manufacturer  serial  number 
discrimination).  As  repeatedly  demonstrated,  intra- manufacturer  serial  number  dis¬ 
crimination  presents  the  greatest  challenge  [44,47,57,76,93,94]  and  three  approaches 
that  can  be  used  to  improve  overall  classification  performance,  include: 

1.  Discovering  a  more  robust  feature  set  for  use  with  a  given  classifier,  where  in¬ 
creased  robustness  enables  use  of  a  single,  minimal  dimension  feature  set  under 
multiple  channel  conditions  (Gaussian,  Rayleigh,  etc.)  and/or  multiple  device 
combinations  (inter- manufacturer  and  intra-manufacturer  conditions). 

2.  Developing  a  more  powerful  classifier  for  a  given  feature  set,  where  increased 
power  is  indicated  by  either  1)  requiring  a  lower  SNR  to  achieve  a  given  clas¬ 
sification  level,  or  2)  achieving  a  higher  classification  level  for  a  given  SNR. 

3.  A  combination  thereof. 

To  improve  RF-DNA  fingerprinting  classification  performance,  related  work 
in  [56-58]  investigated  the  use  of  an  alternate  feature  set  generated  from  2D  Dual- 
Tree  Complex  Wavelet  Transform  (DT-CWT)  coefficients;  the  first  successful  tran¬ 
sition  from  ID  Time  Domain  (TD)  and  ID  Spectral  Domain  (SD)  feature  sets  to 
a  2D  joint  Time-Frequency  (T-F)  feature  set.  The  DT-CWT  exploits  momentary 
and/or  time  localized  signal  energy  changes  as  a  function  of  frequency  [55].  Using 
preamble  responses  from  802.11a  wireless  signals,  results  in  [56-58]  show  that  classifi¬ 
cation  performance  using  2D  DT-CWT  T-F  features  is  superior  when  compared  with 
results  using  ID  TD  or  SD  features.  However,  the  T-F  resolution  trade-off  present 
in  the  DT-CWT  (i.e. ,  increasing  time  resolution  decreases  frequency  resolution  and 
visa-versa)  was  deemed  as  being  potentially  limiting. 

Among  the  list  of  alternative  2D  feature  spaces  initially  considered  are  the 
linear  Gabor  Transform  (GT),  non-linear  Gabor-Wigner  Transform  (GWT)  [18,83], 
the  Fractional  Fourier  Transform  (FrFT)  [14,16,66,69],  the  §- Transform  [79],  the 
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Chirplet  [63],  and  the  Cohen  class  of  T-F  distributions  (e.g.,  Choi-Williams  Trans¬ 
form)  [21].  GT  and  GWT  feature  sets  ultimately  became  the  focus  for  detailed  proof- 
of-concept  demonstration  given: 

1.  They  both  mitigate  potentially  adverse  T-F  resolution  trade-off  effects, 

2.  They  both  have  been  successfully  used  for  assessing  power  line  quality  and 
detecting  anomalous  signal  behavior  [18,83], 

3.  Technical  community  “encouragement”  to  consider  both  linear  and  non-linear 
transforms  and  assess  potential  benefits  of  RF-DNA  fingerprinting  when  oper¬ 
ating  in  multipath  environments. 

Section  2.2.3  provides  a  detailed  description  of  the  GT  and  GWT  implementa¬ 
tions  considered  here  [9,59,92],  along  with  RF-DNA  fingerprint  generation  improve¬ 
ments  that  were  required  to  process  complex  2D  T-F  data. 

1.2.2  Device  Classification.  Numerous  classification  methods  exist  within 
the  pattern  recognition  community,  with  some  of  the  most  popular  including  Fisher’s 
Linear  Discriminant  (FLD),  K-Nearest  Neighbor  (kNN),  Support  Vector  Machine 
(SVM),  and  simple  cross-correlation  techniques  [40,57,82,88,94,95].  The  RF-DNA 
fingerprinting  research  in  [57,71,74-76,81,93,94]  used  the  Fisher-based  MDA/ML 
classifier  to  perform  Multiple  Discriminant  Analysis  (MDA)  feature  selection  followed 
by  Maximum  Likelihood  (ML)  device  discrimination  using  previously  unseen  data. 
It  is  also  important  to  note  that  specialized  classification  techniques  have  seen  little 
advancement  [57].  Therefore,  if  a  more  robust  set  of  2D  T-F  features  (e.g.,  DT-CWT, 
GT,  GWT,  etc.)  is  combined  with  a  more  powerful  classifier,  it  is  expected  that 
classification  performance  will  improve. 

While  performing  favorably  in  works  cited  previously  using  various  signals  of 
interest,  there  are  some  inherent  drawbacks  to  the  MDA/ML  classifier,  including: 

1.  The  dimensionality  of  the  Nq- dimensional  input  feature  set  is  reduced  through 
projection  to  a  lower  ( Nq  —  l)-dimensional  subspace  with  a  goal  of  maximizing 
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inter-class  separation  and  minimizing  intra-class  spread.  Through  MDA  feature 
selection,  inherent  input  information  is  discarded  through  projection  and  the 
ability  to  identify  significant  input  features,  i.e. ,  those  having  greatest  impact 
on  class  separation  and  classification  accuracy,  is  inherently  lost; 

2.  MDA  feature  selection  is  performed  independently  of  subsequent  ML  classifica¬ 
tion.  This  can  lead  to  an  undesirable  effect  of  decreased  classification  accuracy 
when  using  a  reduced  dimensional  feature  set  relative  to  what  may  be  achievable 
using  a  full-dimensional  feature  set  [64]; 

3.  For  ML  classification,  there  is  either  1)  knowledge  of  the  statistical  distribution 
of  each  class’  inputs,  or  2)  an  assumption  made  on  the  statistical  distribu¬ 
tions.  Traditionally,  this  includes  assuming  each  class’  inputs  are  normally  dis¬ 
tributed  with  equal  costs  and  uniform  prior  probabilities  [57,74-76,81,93,94], 
However,  specific  knowledge  of  the  distribution  of  each  class’  inputs  may  be 
unknown  and  the  assumed  normal  condition  may  be  violated  under  practical 
conditions  (i.e.,  burst-to-burst  signal  variation,  channel  conditions,  operating 
environments,  etc.); 

4.  It  has  been  suggested  that  the  success  of  machine  learning  approaches  (e.g., 
MDA/ML  classification )  is  adversely  affected  by  factors  such  as  noisy  or  unre¬ 
liable  data,  or  irrelevant  or  redundant  information  [42], 

Given  noted  MDA/ML  drawbacks,  Air  Force  Institute  of  Technology  (AFIT)  re¬ 
searchers  have  recently  considered  two  alternate  classifiers,  including:  1)  an  Artificial 
Neural  Network  (ANN)-based  Generalized  Relevance  Learning  Vector  Quantization- 
Improved  (GRLVQI)  process  [43,64],  and  2)  a  Learning  From  Signals  (LFS)  process 
that  is  being  jointly  developed  with  researchers  from  Oak  Ridge  National  Labora¬ 
tory  (ORNL)  researchers  [14,44,46,47].  While  both  methods  inherently  overcome 
all  MDA/ML  drawbacks  to  some  extent,  the  ability  of  GRLVQI  and  LFS  to  support 
Dimension  Reduction  Analysis  (DRA)  provides  the  greatest  benefit,  i.e.,  these  meth¬ 
ods  inherently  provide  a  means  for  identifying  and  retaining  a  reduced  subset  of  most 
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relevant  features  contained  in  the  full- dimensional  feature  set.  The  goal  is  to  find  a 
DRA  reduced- dimensional  subset  that  maintains  a  given  classification  performance 
and  minimizes  required  computational  resources. 

Given  the  relative  maturity  of  GRLVQI,  it  was  adopted  under  this  research  as 
the  process  of  choice  for  increasing  classifier  power.  The  increased  “power”  of  this 
classifier  rests  not  only  in  the  potential  for  improving  overall  classification  perfor¬ 
mance,  but  also  in  the  fact  that  it  provides  a  mechanism  for  determining  which  input 
features  are  most  significant-a  key  deficiency  of  the  MDA/ML  classifier.  Specific 
advantages  of  GRLVQI  relative  to  MDA/ML  drawbacks  include  [43,64]: 

1.  Most  importantly,  a  relevance  ranking  is  assigned  to  each  feature  comprising  an 
input  RF-DNA  fingerprint-a  direct  measure  relating  input  feature  significance 
to  the  overall  classification  decision. 

2.  Feature  selection  is  performed  in  conjunction  with  classification. 

3.  No  inherent  assumption  nor  actual  knowledge  required  on  input  data  distribu¬ 
tion  (i.e. ,  Gaussian,  Rayleigh,  etc.). 

4.  Processing  is  well-suited  for  cases  where  the  number  of  input  features  may  be 
inconsistent  across  classes,  or  where  the  inputs  are  comprised  of  noisy  or  incon¬ 
sistent  data. 

Additional  details  on  GRLVQI  processing  are  provided  in  Section  2.3.2  and 
Section  3.3.2.  Comparative  classification  performance  results  using  RF-DNA  based 
on  traditional  ID  TD  and  ID  SD  features,  as  well  as  features  based  on  joint  2D  T-F 
responses  are  presented  in  Chapter  IV. 

1.2.3  Device  ID  Verification.  Traditionally,  RF-DNA  fingerprint  research 
has  predominantly  focused  on  device  classification  (a  one-to-many  looks  “most  like” 
assessment)  [44,47,57,74-76,81,93,94].  In  this  case,  the  network  “air  monitor”  would 
perform  a  “one-to-many”  comparison  to  determine  an  unknown  device’s  identity.  This 
is  done  by  comparing  the  current  “challenge”  RF-DNA  from  the  unknown  device  to 


the  reference  models  stored  for  each  of  the  known  authorized  network  devices.  Tra¬ 
ditionally,  in  device  classification  the  unknown  device’s  “challenge”  fingerprints  will 
be  assigned,  by  the  classifier,  as  belonging  to  one  of  the  known  classes.  This  assign¬ 
ment  is  made  regardless  of  whether  or  not  the  “challenge”  RF-DNA  originated  from 
an  authorized  (i.e. ,  reference  model  on  hand)  or  unknown  (i.e. ,  no  stored  reference 
model)  device.  This  leads  to  a  final  classification  decision  being  made  based  upon  a 
“best-match”  criteria,  where  the  best-match  may  actually  be  a  poor  match.  Also,  this 
“one-to-many”  comparison  may  not  be  practical  in  all  applications,  including  those 
where  the  air  monitor  supports  a  network  comprised  of  a  large  number  of  devices  and 
timely,  accurate  authentication  is  required.  The  challenge  becomes  even  greater  when 
considering  networks  where  users  enter  and  leave  frequently  or  randomly  (e.g.,  public 
WiFi  hot  spots,  cellular-based  networks,  etc.). 

This  research  adopted  the  verification  procedures  used  in  [19,  20]  for  uninten¬ 
tional  emissions  from  electronic  devices  and  applies  them  to  intentional  emissions  from 
wireless  devices  to  perform  device  ID  verification  (a  one-to-one  looks  “how  much  like” 
assessment).  This  process  involves  a  “one-to-one”  comparison  of  the  device’s  cur¬ 
rent  RF-DNA  fingerprint  with  a  stored  reference  model  associated  with  that  device’s 
digitally  claimed  bit-level  identity;  common  digital  identifiers  include  the  Medium 
Access  Control  (MAC)  address,  Electronic  Serial  Number  (ESN),  International  Mo¬ 
bile  Equipment  Identity  (IMEI)  number  and  the  Subscriber  Identity  Module  (SIM) 
number.  As  commonly  done  in  network  applications,  verification  results  in  [19,  20] 
and  Chapter  IV.  results  here  are  presented  using  Receiver  Operating  Characteristic 
(ROC)  curves  and  corresponding  Equal  Error  Rate  (EER)  to  characterize  device  ID 
verification  capability,  with  EER  being  the  point  at  which  False  Reject  Rate  (FRR) 
equals  False  Accept  Rate  (FAR)  [24,53].  A  more  detailed  description  of  device  ID 
verification  is  presented  in  Section  2.4  and  Section  3.5. 


9 


1.3  Research  Contributions 


Table  1.1  provides  a  summary  of  the  technical  areas  identified  in  the  previ¬ 
ous  sections,  along  with  a  relational  mapping  between  “Previous  Work”  (pre-existing 
knowledge  base)  and  contributions  of  the  “Current  Research”  (knowledge  base  ex¬ 
pansions)  that  are  presented  in  this  dissertation. 


Table  1.1:  Relational  mapping  between  Technical  Areas  in  Previous  related  work  and 
Current  research  contributions.  The  x  symbol  denotes  areas  addressed. 


Technical  Area  Previous  Work  Current  Research 


Addressed 

Ref# 

Addressed 

Ref# 

TD  Fingerprinting 

X 

[23,41,56,57] 

[81,82,93,94] 

X 

[74-76] 

SD  Fingerprinting 

X 

[94] 

X 

[76] 

DT-CWT  Fingerprinting 

X 

[56-58] 

GT/GWT  Fingerprinting 

X 

[45, 71-73, 76] 

Signal  Type/Modulation 


802.11/OFDM 

X 

[56-58,94] 

X 

[45,73] 

GSM/GMSK 

X 

[93] 

X 

[74,75] 

802.16e/OFDMA 

X 

[94] 

X 

[71,73,76] 

Device  Classification 


GRLVQI 

X 

[56,57] 

X 

[45, 72, 73] 

LFS 

X 

[12-14,44,46,47] 

X 

[45] 

Dimension  Reduction  Analysis  (DRA) 


GRLVQI 

X 

[56,57] 

X 

[45, 72, 73] 

LFS 

X 

[45] 

Device  ID  Verification 


Electronic  Components 

X 

[19,20] 

Authorized  Wireless  Devices 

X 

[72, 73] 

Rogue  Wireless  Devices 

X 

[72, 73] 
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1.4  Document  Organization 

This  document  is  organized  as  follows.  Chapter  II  provides  details  on  technical 
topics  and  literature  related  to  OFDM-based  WiMAX  and  WiFi  signal  implementa¬ 
tion,  RF  signal  collection,  post-collection  processing,  RF-DNA  fingerprinting,  device 
classification ,  and  device  ID  verification.  Chapter  III  outlines  the  methodology  used 
during  the  research  to  collect,  process,  generate  fingerprints,  and  subsequently  identify 
and/or  verify  IEEE  802. 16e  WiMAX  and  802.11a  WiFi  devices.  Chapter  IV  presents 
TD,  SD,  GT,  and  GWT  device  classification  performance  for  the  MDA/ML  and  GR- 
LVQI  classifiers,  as  well  as  authorized  and  “rogue”  device  verification  performance 
for  the  investigated  signal  types.  Lastly,  concluding  comments  and  envisioned  future 
research  activity  is  presented  in  Chapter  V. 
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II.  Background 


THIS  chapter  provides  a  summary  of  necessary  technical  concepts  used  in  develop¬ 
ing  the  research  methodology  presented  in  Chapter  III,  as  well  as  generation  of 
results  presented  in  Chapter  IV.  Section  2.1  provides  a  description  of  the  signals  of  in¬ 
terest  which  include  IEEE  compliant  Wireless  Fidelity  (WiFi)  and  Worldwide  Interop¬ 
erability  for  Microwave  Access  (WiMAX)  signals.  Section  2.2  provides  a  description  of 
RF-DNA  fingerprint  generation  based  on  three  specific  responses,  including  ID  Time 
Domain  (TD),  ID  Spectral  Domain  (SD),  and  2D  joint  (T-F)  domain.  Device  classi¬ 
fication  using  Multiple  Discriminant  Analysis/Maximum  Likelihood  (MDA/ML)  and 
Generalized  Relevance  Learning  Vector  Quantization-Improved  (GRLVQI)  processes 
is  presented  in  Section  2.3.  The  chapter  concludes  with  Section  2.4  which  describes 
the  device  ID  verification  process. 

2. 1  Signals  of  Interest 

2.1.1  IEEE  802. 16e  WiMAX.  An  Alvarion  BreezeMAX  Extreme  5000  IEEE 
802. 16e  WiMAX  network  using  60/40  Time  Division  Duplexing  (TDD)  was  used  for 
experimental  demonstration.  The  first  60%  of  the  Tp= 5  ms  TDD  frame  was  allocated 
for  Base  Transciever  Station  (BTS)  Down-Link  (DL)  transmission  and  the  remaining 
40%  allocated  for  Mobile  Subscriber  (MS)  Up- Link  (UL)  transmission  [7].  The  RF 
channel  occupied  a  bandwidth  of  Wch= 5  MHz  centered  at  fc= 5475  MHz.  Figure  2.1 
presents  magnitude  plots  for  three  distinct  UL  sub-frame  responses  that  were  observed 
during  experimentation.  As  indicated,  these  are  designated  as  Data- Only,  Range-Plus- 
Data ,  and  Range- Only  mode  responses  [76].  These  MS  “operating  modes”  were  not 
apparent  in  any  Alvarion  or  supplemental  documentation.  When  an  MS  transmits  in 
the  Range-Plus-Data  or  Range- Only  modes,  the  ranging  portion  of  the  UL  subframe 
is  used  for  intial  network  setup,  synchronization,  BTS-to-BTS  handover,  resolution  of 
bandwidth  contention,  as  well  as  timing  and  frequency  offset  calculation  [22,50,52], 
All  subsequent  discussion  as  well  as  results  presented  in  Chapter  IV  are  based  upon 
the  tested  MS  operating  in  the  Range-Only  mode. 
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(a)  MS  Data  Only  sub-frame  response. 


Time  (ms) 


(b)  MS  Range-Plus-Data  sub-frame  response. 
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(c)  MS  Range  Only  sub-frame  response. 

Figure  2.1:  Three  distinct  UL  sub-frame  magnitude  responses  for  “operating  modes” 
of  BreezeMAX  802. 16e  WiMAX  MS  transmissions  [76]. 
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Unlike  previously  investigated  GSM  and  802.11  signals  [57,58,74,75,93],  the 
collected  mobile  802. 16e  WiMAX  MS  signals  lack  a  distinct  portion  of  the  modulated 
waveform  that  remains  consistent  across  all  devices.  However,  all  of  the  observed  MS 
responses  contained  a  device  power  up  bias  that  spanned  the  UL  sub-frame.  This 
power  up  bias  is  most  apparent  in  Fig.  2.1(c)  and  is  expanded  upon  in  Fig.  2.2.  It 
is  believed  that  the  bias  is  incorporated  by  design  to  stabilize  electronic  component 
response  and  mitigate  adverse  peak-to-average  power  ratio  effects  that  frequently 
occur  in  OFDM.  An  approximate  14.0  /is  interval  (2.0  /is  to  16.0  /is)  of  the  UL 
sub-frame  response  is  designated  here  as  the  “near-transient”  response.  This  “near¬ 
transient”  response  in  Fig.  2.2  has  thus  far  resulted  in  the  most  useful  RF-DNA  for 
WiMAX  MS  device  classification  and  verification  [71,76]. 

2.1.2  IEEE  802.11a  WiFi.  IEEE  802.11a  WiFi  is  an  OFDM  signal  com¬ 
prised  of  Nq= 52  sub-carriers  with  a  channel  bandwidth  of  Wen— 16-6  MHz  centered 
at  fc= 5745.2  MHz  [51].  The  802.11a  signal  specification  requires  that  each  RF  trans¬ 
mission  include  a  distinctive  preamble  at  the  beginning.  This  distinct  preamble  is 
comprised  of  10  short  and  2  long  training  sequences.  Networked  devices  use  these  se¬ 
quences  to  assist  in  diversity  selection,  timing  and  frequency  acquisition,  and  channel 


Figure  2.2:  Expanded  view  of  “near-transient”  region  of  Range-Only  magnitude  re¬ 
sponse,  of  Fig.  2.1(c),  showing  the  device  power  up  bias  present  within  the  UL  sub- 
frame  [76]. 
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Figure  2.3:  First  25  /zs  of  an  802.11a  WiFi  burst  (major  portion  of  payload  omitted). 
The  preamble  spans  the  first  16.5  /zs  [73]. 

estimation  [51].  In  this  work,  the  signals  used  for  experimental  demonstration  were 
collected  from  two  laptops  using  Cisco  AIR-CB21G-A-K9  WiFi  cards  operating  as  a 
peer-to-peer  Ad  hoc  wireless  network.  Figure  2.3  illustrates  the  preamble,  comprising 
the  first  16.0  /zs,  of  a  802.11a  WiFi  transmission  from  which  RF-DNA  fingerprints 
are  extracted  for  subsequent  device  discrimination. 

2. 2  RF-DNA  Fingerprinting 

This  work  investigates  the  application  of  RF-DNA  fingerprinting  using  features 
based  on  ID  Time  Domain  (TD),  ID  Spectral  Domain  (SD),  and  2D  joint  Time- 
Frequency  (T-F)  responses. 

2.2.1  ID  Time  Domain  (TD).  As  in  [44,47,74-76,81,94],  this  work  used  RF- 
DNA  fingerprints  extracted  from  instantaneous  TD  amplitude,  phase,  and  frequency 
responses.  RF-DNA  fingerprints  (f td)  are  generated  from  Ns  samples  extracted  from 
the  complex  signal  s{n)  =  s/(n)  +  jsg(n).  For  consistency  with  [74-76,81,94],  the 
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TD  RF-DNA  fingerprints  are  generated  from  the  centered  (denoted  with  subscript 
c)  and  normalized  (denoted  with  over  bar)  amplitude  {ac(n):n=l, . . . ,  Ns},  phase 
{(j)c(n):n= 1, . . . ,  Ns},  and  frequency  {fc(n):n= 1, . . . ,  Ns}  sequences.  The  TD  feature 
sequences  are  given  by, 


4>{ri)  =  tan 


a(n)  =  sj sj(n)  +  s2Q{n), 


_  si(n) 


,  for  s/(n)  ^  0, 


(2.1) 

(2.2) 


/(n)  =  s 


d(j)(n ) 
dn 


(2.3) 


Subsequent  centering  and  normalization  of  the  TD  feature  sequences  is  achieved  by 


a(n)  ~  fig 
max{ac(n)} 


(2.4) 


<t>c{n) 


(j)(n)  - 

max{0c(n)}  ’ 


(2.5) 


Un)  =  TiAvw 

max{jc(n)} 

n 


(2.6) 


where  n=l, . . . ,  Ns,  fj,a,  fi^  and  /i/  are  the  amplitude,  phase,  and  frequency  means 
calculated  across  Ns  samples,  and  max{-}  denotes  the  maximum  of  each  feature 
sequence’s  centered  magnitude. 


As  shown  in  Figure  2.4,  an  RF-DNA  fingerprint  (f td)  is  generated  by  dividing 
each  of  the  TD  sequences  into  Nr  equal  length,  sequential  subregions  such  that  Ns/Nr 
is  an  integer.  Features  are  generated  by  calculating  statistics:  standard  deviation  (a), 
variance  ( a 2),  skewness  (7),  and/or  kurtosis  (/?),  over  each  of  the  Nr  subregions,  as 
well  as  the  Nr  +  1  subregion  which  spans  the  entire  length  of  a  TD  sequence.  The 
calculated  statistics,  for  each  of  the  selected  subregions,  are  arranged  as  follows: 


(2.7) 
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Arbitrary  Feature  Sequence 


R3  I  °R3’  °R3->  Jr3’  kR3  1 


Figure  2.4:  Regional  fingerprint  generation  for  Nr+1  total  regions  using  the  centered 
and  normalized  feature  sequences  [94]. 


where  i  —  1,2, ,  Nr+1.  A  composite  fingerprint  is  formed  by  concatenating  the  sta¬ 
tistical  features  calculated  to  form  (2.7)  with  one  another  for  a  selected  TD  sequence 
as  follows  [94], 


fd  = 


ffil  :  f/t'2 


rR3 


*Rnr+1 


(2.8) 


-1  1x4(JVh+1) 

where  the  superscript  5  denotes  a  specific  TD  sequence,  i.e.,  {ac(n)},  {<f>c(n)}  or 
{fc(n)}.  Due  to  the  use  of  multiple  TD  sequences  in  the  generation  of  TD  RF-DNA 
fingerprints,  the  composite  fingerprints  from  (2.8)  are  concatenated  to  compose  f td 
as  follows: 


fro  — 


f“  :  f0  :  f / 


Therefore,  f td  contains  a  total  of  NjD  = 
(#  of  Regions  +  1)  elements. 


(2.9) 

1x4(Nr+1)x3 

(#  of  Features)  x  (#  of  Statistics)  x 


2.2.2  ID  Spectral  Domain  (SD).  RF-DNA  fingerprinting  is  performed  using 
SD  features  generated  as  in  [94]  and  based  upon  the  TD  methods  outlined  in  Sec¬ 
tion  2.2.1.  SD  RF-DNA  fingerprints  (fsn)  are  generated  using  the  power-normalized 
Power  Spectral  Density  (PSD)  of  the  complex  signal  sequence  (s(n)}  [94],  The  Dis¬ 
crete  Fourier  Transform  (DFT)  is  used  in  calculating  the  desired  PSD  feature  sequence 
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{p(k)}  as  follows  [70], 


-j  -*vs 

S(k)  =  —J24r‘)e-mN"n't\  (2.10) 

s  n= 1 

$(N„n,k)  =  (n-l)(fc-l),  (2.11) 

where  fc=0.1, . . . ,  Ns.  To  obtain  the  desired  power-normalized  PSD  sequence  {p(k)}, 
(2.10)  is  divided  by  the  signal’s  average  power, 

m  =  fi\S(k)\\  (2.12) 

s 

where  Ps  is  given  by, 

^  Na 

Ps  =  aT  £  s(n)s(n)*,  (2.13) 

s  ra=l 

and  *  denotes  complex  conjugate.  The  PSD  is  normalized  to  diminish  potential  col¬ 
lection  process  effects  that  may  bias  the  classification  results.  As  in  [23,76,81,82,94], 
the  DC  (k— 0)  and  redundant  {Ns/2  +  l,Ns/2  +  2, . . . ,  Afs)  terms  of  {p(k)}  are  re¬ 
moved  prior  to  statistical  fingerprint  generation.  As  with  the  TD  process,  outlined 
in  Section  2.2.1,  statistics  are  calculated  over  Nr  contiguous  sub-regions  within  the 
power-normalized  PSD.  Each  SD  RF-DNA  fingerprint  (fsx>)  is  formed  by  grouping 
the  statistics  as  in  (2.7)  and  subsequent  concatenation  to  generate  SD  RF-DNA  fin¬ 
gerprints  of  the  form, 


f SD  — 


f/jj  :  ff?„  :  f??,  •  •  •  f 


lR2  ■  LRs 


Rnr+i 


lx4(Vfl+l) 


(2.14) 


The  process  in  (2.14)  results  in  f Sd  being  comprised  of  a  total  of  Nj  D  =  fifi  of  Statistics)  x 
(fi  of  Regions  +  1)  elements. 


2.2.3  2D  Joint  Time-Frequency  (T-F)  Domain.  In  a  majority  of  previous 
related  work,  RF-DNA  fingerprints  were  predominantly  extracted  from  ID  TD  and 
SD  responses  [57,58,74,75,94],  with  Dual- Tree  Complex  Wavelet  Transform  (DT- 
CWT)  coefficients  being  AFIT’s  first  application  of  joint  2D  features  [56,57].  The 
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use  of  DT-CWT  coefficients  is  consistent  with  conclusions  in  [9]  indicating  that  the 
use  of  momentary  and/or  time  localized  energy  as  a  function  of  frequency  can  be 
effective  for  describing  signals.  This  motivated  the  use  of  2D  T-F  localization  using 
the  Discrete  Gabor  Transform  (DGT)  which  is  calculated  as  follows  [9], 

mna 

Gmk  =  Y  s(n)W*(n  -  mNA )  exp~j2nkn/KG ,  (2.15) 

77.— 1 

where  Gmk  are  the  Gabor  coefficients,  s{n)=s{n-\-lMN A)  is  the  periodic  input  signal, 
W(n)  =  W(n  +  IMNA)  is  the  periodic  analysis  window,  NA  is  the  number  of  samples 
shifted,  m=l,2,  ...,M  for  M  total  shifts,  and  k=0, 1, . . . ,  Kq— 1  for  Kq>Na  and 
mod(MNA,  Kg)=0  satisfied  [76].  In  the  case  where  Kg=Na ,  the  Gabor  transforma¬ 
tion  represents  critical  sampling.  Oversampling  occurs  when  Kq>Na  and  is  desirable 
when  processing  noisy  data  [9,35,92,97].  Therefore,  oversampling  was  deemed  ap¬ 
propriate  for  this  research  given  collected  signal  of  interest  responses  are  noisy;  thus, 
enabling  a  more  reliable  analysis  with  varying  SNR.  As  in  [9],  the  DGT  was  imple¬ 
mented  using  a  Gaussian  analysis  window  W  (n) . 

The  GT  is  combined  with  the  Wigner-Ville  Distribution  (WVD)  to  form  the 
Gabor-Wigner  Transform  (GWT)  [68].  This  combination  takes  advantage  of  the  GTs 
lack  of  cross-terms  and  faster  computation  as  well  as  the  higher  clarity  of  the  WVD. 
While  somewhat  arbitrary  in  terms  of  exponential  weighting,  and  without  regard  for 
optimizing  performance,  the  GWT  is  computed  here  using  [68], 

GWmfc  =  G^V™,  (2.16) 

where  Vm&  is  the  Discrete  Pseudo  Wigner  Distribution  (DPWD)  given  by  [18], 

Kg!  2—i 

Nmk=  Y  h(n)exp~j2^KG,  (2.17) 

n=-(Ka/ 2-1) 

h[n)  =  w(n)w*(n)s(m  +  n)s*(m  —  n ),  (2-18) 


19 


and  Hamming  window  function  w(n)  is  implemented  as  in  [18].  RF-DNA  fingerprints 
are  generated  from  the  normalized  magnitude-squared  Gabor  and  Gabor-Wigner  co¬ 
efficients  Gmfc|2  and  |GWmfc|2,  respectively.  The  magnitude-squared  coefficients  are 
normalized  by, 


I A mk  I 


A-rrik 

2  _ 

-  min  { 

A. 

mk 

I2} 

max 

{  |  A  mk 

2  —  min 

{ 

I2}} 

(2.19) 


where  Am/i.  are  the  coefficients  of  the  selected  T-F  transform. 


As  shown  in  Fig.  2.5,  the  resulting  T-F  surface  is  divided  into  NfxNf  2- 
dimensional  subregions  (patches),  vectorized,  and  statistics  calculated  (standard  de¬ 
viation,  variance,  skewness,  and  kurtosis).  The  dimensions  of  each  NfxNf  patch  are 
selected  to  ensure  a  minimum  of  NTF=15  entries  are  used  for  statistical  calculation. 
Similar  to  TD  and  SD  RF-DNA  fingerprint  generation,  statistics  calculated  over  the 
entire  T-F  surface  are  included  and  represent  the  Nr  +  1  subregion. 


Nt< 


Fingerprint  Elements 


#  Statistics  X  NB 


N, 


Nt  X  NF  Samples/Patch 
a  -  Std  Deviation 
a2  -  Variance 
y  -  Skewness 
k  -  Kurtosis 


Figure  2.5:  Gabor-based  RF-DNA  fingerprint  generation  using  NF x NF  2D  T-F 
patches  of  centered  and  normalized  magnitude-squared  GT  and  GWT  coefficients  [76]. 
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2.3  Device  Classification 

2.3.1  MDA/ML  Processing.  As  in  [20,74-76,81,82,94],  MDA/ML  is  used 
to  perform  feature  selection  and  device  classification  (a  one-to-many  “best  match” 
assessment).  The  goal  of  MDA  is  to  reduce  feature  dimensionality  while  improving 
class  separability.  MDA  is  an  extension  of  Fisher’s  Linear  Discriminant  Analysis 
(LDA)  from  a  two-class  case  to  the  Ac-class  case,  where  Nc  is  the  total  number  of 
classes/devices.  MDA  is  a  linear  operation  that  projects  the  samples  (i.e.,  the  RF- 
DNA  fingerprints)  to  a  (Nc~ l)-dimensional  subspace  without  reducing  the  power 
of  class  separability  [87].  The  MDA  projection  maximizes  inter-class  distances  while 
minimizing  intra-class  spread. 

In  MDA,  the  between  (inter-)  (S&)  and  within  (intra-)  (S^)  class  scatter  matrices 
are  computed  [87]: 

c 

=  (2-2°) 

i= 1 

C 

So;  =  -  /io)(hi  -  ho)r,  (2.21) 

i= 1 

where  Ej  and  Pi  are  the  covariance  matrix  and  prior  probability  of  class  c*,  re¬ 
spectively.  Individual  RF-DNA  fingerprints  are  projected  into  the  lower  (Ac— 1)- 
dimensional  subspace  by: 

fW  =  WTf,  (2.22) 

where  W  is  the  projection  matrix  formed  from  the  (Ac—  1)  eigenvectors  of  Sjj1Sfe.  It 
is  through  the  formation  of  the  projection  matrix  W  that  results  in  the  optimal  ratio 
between  the  inter-class  distances  and  intra-class  variances  [87].  Figure  2.6  provides 
a  representative  illustration  of  two  possible  MDA  projection  matrices.  In  this  case, 
projection  matrix  WR  provides  “best”  case  class  separation  performance. 

For  each  class,  a  total  of  Nr  training  fingerprints  are  projected  (denoted  by 
the  superscript  W)  during  the  MDA  training  process  to  form  the  projected  training 
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Figure  2.6:  Representative  MDA  projection  from  Nq— 3  class  inputs  to  two  possible 
Nq—  1=2D  subspaces.  [30]. 


matrix  fw  as  follows: 


fW 


fW  fW  fW 

11  >  i2  >  '  '  '  >  LNT 


T 

jVTx(C-l) 


(2.23) 


The  mean  vector  fifi1  and  covariance  matrix  are  estimated  and  stored  for  each 
class’  projected  training  fingerprints.  A  multi-variate  Gaussian  distribution,  com¬ 
puted  using  the  pooled  covariance  matrix  and  appropriate  estimated  mean  vec¬ 
tor  fi™ ,  is  fitted  to  each  class’  training  samples  to  form  the  reference  models.  These 
reference  models  are  used  to  estimate  the  similarity  measure/likelihood  values  of  the 
given  fingerprint  f  [87]: 


pm) 


i 

(2vr)(C-1)/2  det(SW)i/2 


•exp  (j;), 


(2.24) 


where, 

^  =  (2.25) 

Average  percent  correct  device  classification  is  calculated  as  the  percentage  of  the  time 
the  classifier  correctly  assigns  an  observed  RF-DNA  fingerprint  to  its  true  class  over 
all  trials.  The  pooled  covariance  matrix  used  in  subsequent  generation  of  each 
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class’  reference  model,  is  calculated  from  the  individual  estimated  class  covariances 
as  follows, 


vw  _ 

2jp  — 


AT  -  TV, 


c 


NC 


2—1 


where  Nc  is  the  total  number  of  classes  (devices). 


(2.26) 


A  device’s  identity  is  determined  through  the  comparison  of  its  unknown  RF- 
DNA  fingerprint  with  each  reference  model  that  has  been  fit  to  each  of  the  Nq  training 
sets  following  feature  selection.  A  classification  decision  is  made  by  computing  a 
similarity  measure  between  the  unknown  RF-DNA  fingerprint  and  each  of  the  Nc 
known  reference  templates  and  assigning  it  to  the  class  that  results  in  the  best  match. 
As  in  [20],  this  work  uses  the  Bayesian  posterior  probability,  under  the  assumptions 
of  uniform  costs  and  equal  priors,  as  the  similarity  measure.  This  approach  optimally 
minimizes  the  classification  error  probability  [87].  In  the  case  of  Nc  devices,  an 
unknown  device’s  RF-DNA  fingerprint  f  is  assigned  to  class  ct  if: 


P(ci|f)>P(ci|f)  VjVb 


(2.27) 


where  *e{l,  2, . . . ,  Nc}  and  P(q|f)  is  the  conditional  posterior  probability  that  f 
belongs  to  class  c%.  Applying  Bayes’  Rule,  the  conditional  probability  is  computed 
as  [62]: 


P(ci\ f)  = 


P(f|ct)P(c, 

P(f) 


(2.28) 


Due  to  the  assumption  of  equal  prior  probabilities  (P(q)=1/atc)  for  all  classes,  P(cj) 
can  be  neglected  when  evaluating  (2.28).  Since  the  conditional  probability  is  being 
calculated  for  a  given  fingerprint  f ,  the  denominator  remains  constant  across  all  C;  and 
can  be  neglected  as  well.  This  reduces  the  decision  criteria  in  (2.28)  to  maximizing 
the  likelihood  for  P(f|cj)  for  all  Cj. 
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2.3.2  GRLVQI  Processing.  GRLVQI  possesses  several  inherent  advantages 
over  MDA/ML-based  classification  and  is  introduced  here  for  RF-DNA  fingerprinting 
given  that  [43,64]: 

1.  There  is  no  inherent  assumption  nor  actual  knowledge  required  on  input  data 
distribution  (Gaussian,  Rayleigh,  etc.). 

2.  Feature  selection  is  performed  in  conjunction  with  classification. 

3.  Processing  is  well-suited  for  cases  where  the  number  of  inputs  may  be  inconsis¬ 
tent  across  classes  or  where  the  inputs  are  comprised  of  noisy  or  inconsistent 


data. 


4.  A  relevance  ranking  is  assigned  to  each  feature  comprising  an  input  RF-DNA 
fingerprint . 

This  last  advantage  was  the  most  important  for  this  research  in  that  a  direct  mea¬ 
sure  relating  input  feature  significance  to  the  overall  classification  decision  facilitates 
Dimensionality  Reduction  Analysis  (DRA). 

For  GRLVQI  classifier  training  (model  development),  a  predefined  number  of 
prototype  vectors  ( NP ),  each  comprised  of  Nf  features,  are  assigned  to  represent 
each  of  the  Nc  classes/devices.  The  collection  of  all  prototype  vectors  (pn)  is  used 
to  form  matrix  P  of  dimension  (Nc-Np)xNf  with  the  goal  of  defining  classification 
boundaries  that  minimize  the  Bayes  risk.  The  Bayes  risk  is  minimized  by  differen¬ 
tially  shifting  the  best  In-Class  p7  and  Out- of- Class  p°  prototype  vectors  by  some 
distortion  d™  computed  via  [43], 


(2.29) 


i—  1 


where  n=l,2, . . .  ,Np,  Nf  is  the  number  of  features  comprising  an  RF-DNA  finger¬ 
print,  fm  is  a  randomly  selected  input  fingerprint,  pneP,  and  A j  is  the  relevance  (im¬ 
portance  weighting)  of  the  ith  feature  satisfying  1 1  A|  |  i=l  [43]  with  Aj>0  V  iE{  1, . . . ,  Nf} 
At  the  beginning  of  the  classifier  training  process,  A i  is  randomly  initiated.  The  work 
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in  [64]  introduces  a  bias  parameter  Bn  that  is  adapted  from  [26]  to  minimize  utilization 
of  poor  prototype  vectors.  The  resultant  distortion  is  given  by 


rln  —  dn 
aBias  —  a\ 


Br 


B" =  ^  1  iVp  ■  Ku 


(2.30) 

(2.31) 


where  if  is  selected  by  the  user  to  control  the  amount  of  bias  that  is  applied  to  the 
distortion  and  Ffld  is  the  frequency  at  which  a  prototype  vector  is  selected  as  the 
“best”  prototype  vector  (i.e.,  it  has  the  smallest  d^ias  to  fm). 

The  best  in-class  prototype  vector  py  is  the  p",  with  the  same  class  label  as  fm, 
for  which  is  the  smallest.  The  in-class  prototype  vector  distortion  d1=drfias  (i.e., 
the  distortion  value  that  resulted  in  selection  of  pJ).  The  best  out-of-class  prototype 
vector  p°  is  the  pn,  with  a  class  label  that  is  different  than  that  of  fm,  for  which 
d fiias  is  the  smallest.  Thus,  the  out-of-class  prototype  vector  distortion  d°=drj3ias. 
The  prototypes  are  updated  following  selection  of  the  best  in-class  and  out-of-class 
prototype  vectors  by  [43], 


p'(f  +  i)  =  p'(()  + 


p°(i  +  i)  =  pu(i)  + 


o, 


4a7(f)/'|M(fm)ird° 
{d1  +  d°y 


4a0(f)/,|M(fm).rdj 


A(fm-p/(t)), 

(2.32) 

■A(fm  -  p°(t)), 

(2.33) 

id/  +  d°y 

where  A„;  =  Aj,  a1  and  a°  are  the  learn  rates  for  the  in-class  and  out-of-class  proto¬ 
types,  r  is  a  time  decay  term  [64],  and  is  the  first  derivative  of  the  sigmoid 

loss  function: 

M  n,r)  = 

Mn  = 


1 

(2.34) 

1  _|_  e-^(fm)  ’ 

dI-d°\ 

d1  +  dP  )  ’ 

(2.35) 

where  p( fm)  is  the  misclassihcation  measure  [77].  If  /i(fm)<0,  with  p(fm)=— 1  being 
perfect  classification ,  then  a  correct  classification  occurs.  Conversely,  a  misclassih- 
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cation  occurs  if  //( fm)>0  [77].  GRLVQI  implements  a  conditional  update  rule  in  an 
effort  to  minimize  potential  divergence  of  the  prototype  vectors.  Under  this  rule,  both 
of  the  in-class  and  out-of-class  winning  prototype  vectors  are  updated  only  if  the  input 
sample  is  misclassihed;  otherwise,  only  the  in-class  prototype  vector  is  updated  [64], 

Following  selection  of  the  best  in-class  and  out-of-class  prototype  vectors,  the 
learn  rates  a1  and  a°  are  adjusted  and  the  relevances  updated  using  [43] 


AAj 


The  process  is  iterated  for  a  given  number  of  iterations  (iVj)  or  until  other  termination 
criteria  are  satisfied.  Following  termination,  the  prototype  vectors  representing  the 
best  model  fit  and  associated  A  are  available  for  feature  DRA.  The  corresponding 
“best”  Relevance  Vector  is  given  by 


(2.37) 


where  a  higher  A*  value  for  a  given  feature  indicates  that  that  feature  has  greater 
impact  on  classification  performance. 

Figure  2.7  illustrates  GRLVQI  classification ,  in  which  the  distance  between  an 


unknown  RF-DNA  fingerprint  (f)  and  each  of  the  prototype  vectors  comprising  the 
“best”  model  PB  is  computed  by  (2.29).  The  unknown  RF-DNA  fingerprint  (f)  is 
subsequently  assigned  to  class  C\  by, 


(2.38) 


where  phjePB,  *=1,  2, . . . ,  Nc,  and  j= 1,  2, . . . ,  NP. 
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Class  1 


Class  3 


Class  2 


Figure  2.7:  GRLVQI  classification  process  with  an  unknown  fingerprint  (f)  assigned 
to  class  Ci  based  upon  minimum  Euclidean  Distance  computed  in  (2.29)  [73]. 


2-4  Device  ID  Verification 

Unlike  device  classification ,  aone-to-many  looks  “most  like”  assessment  whereby 
an  unknown  device’s  RF-DNA  fingerprints  are  compared  to  each  of  the  Nc  reference 
models,  device  ID  verification  is  a  one-to-one  looks  “how  much”  assessment  that 
enables  authentication  of  a  device’s  digitally  claimed  bit-level  identity:  Medium  Ac¬ 
cess  Control  (MAC)  address,  Electronic  Serial  Number  (ESN),  International  Mobile 
Equipment  Identity  (IMEI)  number,  or  the  Subscriber  Identity  Module  (SIM)  num¬ 
ber.  For  this  research,  a  device  that  falsely  claims  a  digital  identity  that  is  different 
than  its  own,  in  order  to  gain  unauthorized  network  access,  is  designated  as  a  “rogue” 
device.  In  this  case,  the  claimed  identity  is  compared  against  the  specific  reference 
model  associated  with  the  true  identity  [20].  The  resultant  verification  decision  is  bi¬ 
nary,  with  the  device’s  claimed  identity  declared  authentic  (rightly  or  wrongly)  when 
the  verification  test  statistic  meets  or  exceeds  a  predetermined  threshold.  If  the  test 
statistic  fails  to  meet  the  verification  decision  threshold,  the  device  is  deemed  to  be 
an  impostor/impersonator  and  network  access  is  denied. 

As  indicated  in  Table  2.1  and  summarized  below,  there  are  two  types  of  verifi¬ 
cation  errors  that  can  be  made  [20,24,53]: 
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1.  False  Verification:  A  rogue  device’s  false  claimed  ID  is  deemed  authentic  and 
the  device  is  granted  network  access-measured  as  False  Verification  Rate  (FVR). 

2.  False  Reject :  An  authorized  device’s  true  claimed  ID  is  deemed  rogue  and  the 
device  is  not  granted  network  access-measured  as  False  Reject  Rate  (FRR). 


Table  2.1:  Verification  Outcomes  &  Rates. 


System  Declaration  (Rate) 

Actual 

Authorized 

Rogue 

Authorized 

True  Verification  (TVR) 

False  Reject  (FRR) 

Rogue 

False  Verification  (FVR) 

True  Reject  (TRR) 

By  varying  the  decision  threshold  tv,  system  security  can  be  increased  to  reduce 
false  verification  errors  or  decreased  to  reduce  false  reject  errors.  The  Receiver  Op¬ 
erating  Characteristic  (ROC)  curve  and  corresponding  Equal  Error  Rate  (EER)  are 
used  to  establish  device  verification  capability  [20,24],  The  ROC  curve  is  created  by 
plotting  True  Verification  Rate  (TVR)  versus  False  Verification  Rate  (FVR)  as  the 
threshold  value  tv  is  varied  [24,53].  The  EER  is  defined  as  the  point  on  the  ROC 
curve  at  which  the  False  Reject  Rate  (FRR  =  1-TVR)  equals  the  FVR.  The  EER  is 
commonly  used  as  a  summary  statistic  for  comparing  verification  performance  across 
multiple  systems;  however,  it  may  not  represent  the  desired  operating  point  in  a  fielded 
system.  In  general,  a  lower  EER  value  indicates  better  verification  performance  for  a 
given  system  [20,24]. 


III.  Research  Methodology 


This  chapter  describes  the  signal  collection,  detection,  post-collection  processing, 
classification  and  verification  processes  developed  under  this  research,  as  based 
on  work  in  [74]  and  illustrated  in  Fig.  3.1.  Section  3.1  outlines  the  signal  collection 
process  which  is  performed  using  AFITs  RF  Signal  Intercept  and  Collection  System 
(RFSICS).  Section  3.2  describes  the  post-collection  processing  which  includes  digi¬ 
tal  filtering,  burst  detection,  and  the  addition  of  scaled,  like-filtered  Additive  White 
Gaussian  (AWGN)  for  varying  the  analysis  SNR  ( SNRa ).  This  research  considered 
two  different  classification  processing  techniques:  Section  3.3.1  describes  the  Fisher- 
based  Multiple  Discriminant  Analysis/Maximum  Likelihood  (MDA/ML)  process  and 
Section  3.3.2  describes  the  Artificial  Neural  Network  (ANN)-based  Generalized  Rel¬ 
evance  Learning  Vector  Quantization-Improved  (GRLVQI)  process.  Device  bit-level 
identification  (ID)  verification  is  described  in  Section  3.5.1  and  Section  3.5.2  using 
reference  models  developed  during  the  MDA/ML  and  GRLVQI  classifier  training  pro¬ 
cesses,  respectively. 

3.1  Signal  Collection 

The  signal  collection  process  is  illustrated  in  Fig.  3.1  and  includes  the  use 
of  an  Agilent  E3238S-based  RFSICS  having  a  fixed  RF  input  filter  bandwidth  of 
Wrf— 36.0  MHz  that  is  tunable  across  the  range  of  20.0  MHz,  6.0  GHz]  [6]. 
The  selected  frequency  band  is  down-converted  to  an  Intermediate  Frequency  (IF)  of 
fiF— 70  MHz  and  digitized  by  an  Nb=12  bit  Analog-to-Digital  Converter  (ADC)  op¬ 
erating  at  a  sampling  rate  of  fs= 95  mega-samples-per-second  (Msps).  During  analog- 
to-digital  conversion,  the  IF  signal  is  down-converted  to  baseband,  digitally  filtered, 
sub-sampled  in  accordance  with  Nyquist  criteria,  and  subsequently  stored  as  complex 
In-Phase  (/)  and  Quadrature  (Q)  data.  The  devices  under  test  and  the  RFSICS  are 
co-located  in  an  office  building  environment  during  all  collections. 
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Figure  3.1:  Signal  collection  and  post-collection  processing  [74], 


3.2  Post- Collection  Processing 

Following  collection,  down-conversion,  and  storage,  the  RFSICS  signal  file  is 
converted  to  Mat  lab®  format  for  post-collection  processing,  which  included:  1)  digi¬ 
tal  baseband  filtering,  2)  individual  burst  detection  using  Variance  Trajectory  (VT) 
based  upon  the  work  in  [58],  3)  detected  burst  removal  from  the  collection  record, 
and  4)  noise  power  generation,  scaling  and  addition  to  achieve  the  desired  SNRa 
and  model  the  effects  of  differing  channel  conditions.  For  this  work,  the  like-filtered 
AWGN  was  scaled  to  achieve  the  desired  SNRaZL [-3.0,27.0]  dB  and  added  directly 
to  the  collected  I—Q  data.  Given  the  relatively  benign  signal  collection  environ¬ 
ment  and  correspondingly  high  collected  SNRC  which  was  typically  in  the  range  of 
SNRce [30.0, 40.0]  dB,  the  like-filtered  AWGN  was  the  dominant  noise  source. 
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Observation:  While  effective  for  development  and  proof-of-concept 
demonstration,  the  like- filtered  AWGN  SNRa  scaling  process  may  not 
accurately  reflect  true  SNR  variation  effects  caused  by  non-Gaussian 
channel  noise  (e.g.,  Rayleigh,  Chi,  Chi-Squared,  etc.). 


3.2.1  Digital  Filtering.  Collected  signal  SNR  is  improved  by  applying  dig¬ 
ital  filtering  prior  to  burst  detection.  This  filtering  induces  signal  “coloration”  effects 
that  are  representative  of  what  actually  occurs  in  realistic  hardware  processing.  Ta¬ 
ble  3.1  provides  the  parameters  used  for  implementing  the  lowpass  Butterworth  filters 
for  the  WiMAX  and  WiFi  signals.  For  consistency  with  related  signal  modulation 
work,  the  filter  parameters  were  selected  to  achieve  a  baseband  bandwidth  Wbb  that 
is  “slightly  larger”  than  the  signal  bandwidth,  [8]. 

Table  3.1:  Digital  Filter  Parameters. 

Order  (Na)  Bandwidth  (Wbb) 

WiMAX  6  2.5  MHz 

WiFi  4  7.7  MHz 


3.2.2  Burst  Detection.  Amplitude-based  Variance  Trajectory  (VT)  detec¬ 
tion  is  used  to  locate  and  extract  desired  burst  responses  from  the  overall  collection 
record.  Elements  of  the  VT  sequence  {VTa(n)}  are  generated  from  the  instantaneous 
amplitude  sequence  {a(n)},  containing  elements  generated  per  equation  (2.1),  and 
are  generated  using, 

VTa(n)  =  \Wa(n)  —  Wa(n  +  1)|,  (3.1) 

\-\-(rn — 1)  N 

Wa(m )  =  —  ta(n)  “  /hJ2’ 

W  n=l+(m—l)N a 

where  n= 1,  2, . . . ,  Lw  —  1,  m= 1,  2, . . . ,  Lw,  Lw=[(Na  —  Nw)/Ns J  +  1,  Na  is  the  total 
number  of  samples  comprising  a(n ),  Nw  is  the  window  width  and  Na  is  the  number  of 
samples  the  window  advances  between  calculations.  The  sample  mean  /j,w  is  calculated 
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over  consecutive  subsequence  of  elements  { aw(n )},  taken  from  {a(n)}  and  contained 
in  the  window  [58]. 

3.2.3  Signal-to-N oise  Ratio  (SNR)  Scaling.  Following  VT  burst  detection, 
the  SNR  of  complex  collected  signals  is  on  the  order  of  SNRC£ [30.0, 40.0]  dB.  These 
high  SNRC  levels  allow  the  addition  of  power-scaled,  like-filtered  AWGN  to  generate 
analysis  signals  at  the  desired  SNRa ■  These  signals  facilitate  analysis  of  RF-DNA 
fingerprint  generation,  feature  selection,  device  classification,  and  verification  under 
various  degraded  SNR  conditions. 

The  average  power  (A")  in  an  arbitrary  complex  sequence  {x(k)},  k— 1,  2, . . . ,  K, 
is  given  by, 

1  K 

X  =  —J2x(k)x*(k),  (3.2) 

k=  1 

where  x*[k)  denotes  the  complex  conjugate  of  x{k).  Elements  of  the  complex  collected 
signal  sequence  (sc(/c)}  are  comprised  of  two  components, 

sc{k)  =  st(k )  +  nb(k),  (3.3) 

where  sfik)  and  nb(k )  are  elements  of  the  transmitted  complex  signal  and  background 
noise  sequences,  respectively.  Under  the  assumptions  that  1)  the  {sj(/c)}  and  {nb(k)} 
random  sequences  are  independent,  and  2)  the  E[{nb(k)}]=  0,  the  total  average  power 
Sc  in  K  samples  of  {sc(k)}  is  given  by, 

Sc  =  St  +  Nb,  (3.4) 

where  St  and  Nb  are  calculated  using  (3.2)  and  given  by, 

1  K 

St=  —^st(k)s*t(k),  (3.5) 

k=  1 
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(3.6) 


/Vi=  ^J2nb(k)nl(k). 

k=  1 

Under  the  two  previously  stated  assumptions,  (3.5)  and  (3.6)  can  be  used  to  calculate 
the  collected  signal  SNR  (in  dB)  as  follows: 

SNR f  =  10  x  log, o  (Js)  .  (3.7) 

Now  accounting  for  the  addition  of  zero  mean,  independent  AWGN  samples 
nA(k),  elements  of  the  desired  analysis  signal  sequence  (s^/c)}  are  generated  using 
(3.3)  and  given  by, 

sA(k)  =  st(k)  +  nb(k)  +  nA(k).  (3.8) 

The  desired  analysis  SNRA  of  sequence  {sa(^)}  is  achieved  by  scaling  the  av¬ 
erage  power  in  {nA[k)}.  The  elements  in  {nA(k)}  are  first  generated  as  independent 
complex  AWGN  samples  such  that  E[{nA{k)}]  =  0  (zero  mean)  and  E[{nA(k)2}]= 1 
(unit  variance).  The  complex  noise  samples  are  then  digitally  filtered  using  the  same 
parameters  used  to  filter  the  signal  of  interest  (WiMAX  or  WiFi  per  Table  3.1  in 
Section  3.2.1).  The  like-filtered,  complex  noise  samples  are  then  multiplied  by  scale 
factor  Rn  to  achieve  the  desired  SNRA,  with  power-scaling  factor  Rn  calculated  as, 

/  SNRd.B 

Rn  =  VlO^o^  x  St.  (3.9) 

Multiplying  each  filtered  noise  sample  by  Rn  yields  a  total  average  AWGN  power 
that  is  denoted  here  by  Pq-  Using  this,  the  SNRA  (in  dB)  for  the  analysis  signal 
given  by  (3.8)  can  be  calculated  using, 

SNRf  =  10  x  logw  (j^pa)  ■  (3.10) 

Given  the  range  of  actual  collected  SNRC£L  [30.0, 40.0]  dB,  and  the  desired  range 
of  analysis  S NRAE [-3.0,27.0]  dB,  the  like-filtered  AWGN  noise  contribution  domi- 
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nates  such  that  PG^Nb  and  (3.10)  simplifies  to, 


SNR™  «  10  x  log10  .  (3.11) 


Observation:  The  disparity  between  collected  SNRC  and  desired  SNRa 
results  in  PG^>Nb  and  effectively  simulates  conditions  for  assessing  per¬ 
formance  under  AWGN  channel  noise  conditions. 


3.3  Training  and  Classification 

A  total  of  A’b=1000  emissions  per  device  were  used  for  generating  RF-DNA 
fingerprints  and  assessing  classifier  performance.  The  first  500  were  used  to  generate 
“training”  fingerprints  and  the  remaining  500  were  used  to  generate  “testing”  fin¬ 
gerprints  fg,  where  subscript  (3  denotes  the  type  of  fingerprint  (TD,  SD,  GT,  or  GWT) 
used  as  described  in  Section  2.2.  As  in  conventional  classifier  performance  assessment, 
the  set  of  represents  “known”  data  used  for  model  development /classifier  training 
and  the  set  of  represents  previously  “unseen”  device  emissions  that  were  not  used 
for  model  development /classifier  training. 

To  improve  model  development  robustness  and  analysis  reliability,  Monte  Carlo 
training  and  classification  were  accomplished  at  each  desired  SNRaE[— 3.0,  27.0]  dB 
using  Ah=10  independent  like-filtered  AWGN  noise  realizations  per  device  fingerprint 
and  A' =5- fold  cross-validation.  While  the  value  of  K  can  be  data  dependent,  values  of 
K=5  and  AT=10  are  consistent  with  common  practice  [48].  A'-fold  cross-validation  is  a 
classifier  model  validation  technique  in  which  the  training  set  of  RF-DNA  fingerprints 
is  partitioned  into  K  equally  sized  subsets.  Classifier  training  is  performed  using  A"— 1 
subsets  while  the  remaining  subset  is  “held-out”  for  validation  of  the  resulting  model. 
The  A'-fold  process  is  repeated  a  total  of  K  times  until  each  of  the  subsets  have  been 
“held  out” .  Then  the  average  correct  classification  performance  is  computed  across  all 
K  trials.  This  process  ensures  that  every  RF-DNA  fingerprint  is  “held  out”  exactly 
once  and  used  for  training  A"— 1  times.  Selection  of  the  “best”  classification  model 
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was  based  on  minimum  classification  error  achieved  across  all  noise  realizations  and 
cross-validation  folds  for  each  SNRa . 

3.3.1  MDA/ML  Processing.  The  MDA/ML  classifier  was  implemented  as 
described  in  Section  2.3.1.  Classifier  model  development  was  performed  using  Nb—500 
f g  RF-DNA  fingerprints  and  1V2=10  independent  noise  realizations  per  fg  at  each 
investigated  SNR.  The  “best”  SNR-dependent  model  W B  was  selected  and  a  mul¬ 
tivariate  Gaussian  fitted  to  projected  —igxW  B  fingerprints  for  each  of  the  Nq 
classes  using  (2.24)  and  (2.25).  Classification  performance  was  then  assessed  using 
Ar£=500  fg  RF-DNA  fingerprints  and  AC=10  noise  realizations  per  fingerprint  at  each 
investigated  SNRa ;  a  total  of  500x10=5000  independent  Monte  Carlo  classification 
decisions  per  SNRa . 

For  each  test  fingerprint  fg,  the  likelihood  is  computed  for  each  of  the  Nq  classes 
using  the  multivariate  Gaussian  models  developed  during  training.  The  resultant 
classification  decision  for  fj*  being  assigned  to  class  c  according  to, 

argmax  (p^/f^))  ,  (3.12) 

where  i= 1, . . . ,  Nq  and  P(ci|fgV)  is  the  conditional  posterior  probability  that  fj*  be¬ 
longs  to  class  Cj.  Results  for  MDA/ML  device  classification  performance  are  presented 
in  Section  4.1  and  Section  4.2  for  RF-DNA  fingerprints  extracted  from  WiMAX  and 
WiFi  signals,  respectively. 

3.3.2  GRLVQI  Processing.  The  GRLVQI  classifier  was  implemented  per 
Section  2.3.2  using  the  parameters  in  Table  3.2,  where  Nj  is  the  number  of  itera¬ 
tions,  Nf  is  the  number  of  fingerprint  features,  and  Np  is  the  number  of  prototype 
vectors.  These  specific  parameter  values  were  empirically  selected  based  on  a  series 
of  initial  studies  conducted  using  GT  RF-DNA  fingerprints,  extracted  from  near¬ 
transient  WiMAX  transmissions  at  SNRa=3.0  dB  and  Nq— 3  devices,  that  resulted 
in  consistent  classification  performance  within  reasonable  computation  times. 
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Table  3.2:  GRLVQI  Classifier  Parameters. 


Nc 

Nf 

Nf 

NP 

WiMAX 

6 

1200 

204 

10 

WiFi 

4 

1200 

363 

10 

As  with  MDA/ML  processing,  GRLVQI  training  and  testing  was  accomplished 
using  A’b=500  independent  fg  and  fg  RF-DNA  fingerprints  and  iVz=10  independent 
noise  realizations  per  fingerprint  at  each  investigated  SNR.  Accounting  for  the  1VZ=10 
independent  Monte  Carlo  noise  realizations  per  fingerprint,  all  results  presented  in 
Chapter  IV  are  based  on  5000  independent  classification  decisions. 

For  each  test  fingerprint  fg,  the  GRLVQI  classification  process  declares  fg  as 
belonging  to  class  c  according  to, 


A*  (fi  ~  P™’c 

where  fi  is  the  ith  feature  element  of  fg,  AjGA  is  the  relevance  ranking  of  the  ith  feature, 
and  n=l,  2, . . . ,  Ap  with  pn,c  being  the  nth  prototype  vector  associated  with  class 
model  c.  The  resultant  classification  decision  represents  a  one-to-many  “best  match” 
based  on  a  Euclidean  distance  metric  that  has  been  used  successfully  in  previous 
research  [43,64],  Results  for  GRLVQI  device  classification  performance  are  presented 
in  Section  4.1  and  Section  4.2  for  RF-DNA  fingerprints  extracted  from  WiMAX  and 
WiFi  signals,  respectively. 

3.4  Dimensional  Reduction  Analysis  (DR A) 

As  noted  in  Section  2.3.2,  one  key  advantage  of  the  GRLVQI  process  over 
MDA/ML  processing  is  that  it  inherently  provides  a  measure  (AjG  A  for  i— 1,  2, . . . ,  Nf) 
for  each  RF-DNA  fingerprint  feature,  the  value  of  which  indicates  the  relevance  of  that 
feature  on  the  overall  classification  decision. 


argmm 

C 


\ 


Nf 

X 

i—  1 


(3.13) 


36 


Process:  Dimensional  Reduction  Analysis  (DRA)  is  enabled  by  rank¬ 
ordering  RF-DNA  fingerprint  features  based  on  their  relevance  to  overall 
classification.  Once  identified,  a  given  number  of  less  relevant  features 
can  be  removed  and  lower  dimensional  fingerprints  used  for  classification 
while  maintaining  a  desired  level  of  performance. 


The  “best”  GRLVQI  classification  model  P#  and  associated  relevance  rank¬ 
ing  XB  are  selected  based  upon  the  minimum  classification  error  achieved  across  all 
noise  realizations  and  cross-validation  folds  at  each  investigated  SNRa ■  Each  \B  is 
subsequently  stored  in  a  NsxNf,  where  Ng  is  the  number  of  SNRa  and  Nf  is  the 
number  of  features  comprising  the  RF-DNA  fingerprints,  matrix  AB .  Figure  3.2  shows 
representative  “best”  GRLVQI  relevance  values  Af EAB i  for  each  SNRa  considered. 
Figure  3.2  clearly  illustrates  the  dependence  of  feature  relevance  on  SNR  [72],  There 
are  various  strategies  for  selecting  the  “best”  ranked  dimensionally  reduced  feature 
sets  based  upon  the  relevance  ranking  values  comprising  ABsxNp.  Using  a  given  rel¬ 
evance  vector  XB  the  indexes  associated  with  the  relevance  values  Af  €  XB  can  be 
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Figure  3.2:  Overlay  of  WiMAX  GT  relevance  rankings  (Af )  for  a  full-dimensional 
Af-=204  feature  set  at  indicated  SNR  [72], 
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selected  by, 

/(AB,9)  =  {ieN:Af  >9},  (3.14) 

f:RN*->  R(N),  (3.15) 

where  6  is  the  relevance  ranking  selection  threshold,  i= 1,  2, . . . ,  Nf,  N:={1,  2, . . . ,  Nf}, 
and  V  is  the  power  set  of  N.  This  is  extended  to  operate  on  the  matrix  A B  by, 

/„(AB,0)  =  {ieN:AB  >»„}  (3.16) 

where  0  =  (9 i, . . . ,  0Ns)  and  h= 1,  2, . . . ,  Ng.  This  work  considers  four  methods  for 
selecting  DRA  subsets,  based  upon  A5,  for  the  DRA  results  presented  in  Section  4.1.3 
and  Section  4.2.3.  Using  (3.16),  the  four  DRA  methods  are  implemented  as  [72]: 

1.  DRA  Method  #1 :  Uses  highest  ranked  relevance  values  generated  at  a  single 
SNR  to  assess  classification  performance  at  all  SNR  and  selected  according  to, 

Af  e/,(AB  (3.17) 

where  h= 1,2, . . .  ,Ng,  is  a  vector  of  the  relevance  values  selected  from  the 
jth  row  of  matrix  AB  according  to  (3.14)  . 

2.  DRA  Method  #2\  Uses  highest  ranked  relevance  values  for  each  SNR  con¬ 
sidered  to  assess  classification  performance  at  that  same  SNR  and  chosen  by, 

A?e  A(Af,,  9„),  (3.18) 

where  h= 1,  2, . . . ,  Ng  and  is  a  vector  comprised  of  the  relevance  values  that 
satisfy  (3.16)  at  the  selected  SNR. 
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3.  DR  A  Method  #3:  Uses  highest  ranked  relevance  values  based  on  the  average 
relevance  rankings  calculated  across  all  SNR  considered  and  selected  by, 


-r -R 

A  G 


/ 


(3.19) 


_ 

where  A  is  the  reduced  average  feature  relevance  rankings  selected  by  (3.14). 

4.  DR  A  Method  #4  ’■  Uses  the  union  of  the  highest  ranked  relevance  values 
across  all  SNR  considered  and  chosen  according  to, 

Ns 

A  e(jA(AB,e).  (3  20) 

h= 1 

where  A  is  a  vector  of  relevance  ranking  values  that  are  the  union  of  all  X^tEAB 
that  satisfy  (3.16). 

Figure  3.3  provides  an  illustration  of  the  highest  ranked  relevance  ranking  values  for 
each  of  the  four  methods  and  selected  according  to  (3.16). 
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Figure  3.3:  Overlay  of  highest  relevance  ranking  values  using  each  of  the  four  DRA 
methods  and  the  selection  operation  in  (3.16). 

3.5  Device  Bit-Level  ID  Verification 

As  outlined  in  Section  2.4,  the  one-to-one  bit-level  ID  verification  process  for 
devices  differs  from  the  one-to-many  “best  match”  classification  process.  Specifically, 
the  ID  verification  process  generates  a  measure  of  similarity  that  indicates  “how 
much”  an  unknown  device’s  current  RF-DNA  fingerprint  matches  the  stored  true 
reference  model  associated  with  the  claimed  identity  being  presented  by  the  unknown 
device  [20,71-73].  The  unknown  device  is  either  authorized  or  rogue  and  presents 
bit-level  credentials  (e.g.,  MAC  address,  IME1  number,  SIM  number,  etc.)  to  the 
network  for  authentication.  The  one-to-one  ID  verification  process  is  used  here  to 
assess  two  scenarios: 

1.  Authorized  Device  ID  Verification:  Granting  network  access  to  authorized  users 
presenting  proper  bit-level  credentials. 

2.  Rogue  Device  Detection:  Denying  network  access  to  unauthorized  rogue  devices 
presenting  false  bit-level  credentials. 
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The  device  verification  process  is  implemented  using  a  measure  of  similarity, 
or  verification  test  statistic  zv,  that  can  be  based  on  1)  statistical  measures  such 
Bayesian  posterior  probability  as  in  [20,29,71],  2)  geometric  measures  such  as  Eu¬ 
clidean  distance,  spatial  angle,  etc.  [72,73],  or  3)  some  combination  thereof. 


3.5.1  MDA/ML  Processing.  For  MDA/ML  device  ID  verification ,  the  sim¬ 
ilarity  measure  zv  is  generated  from  normalized  a  posterior  probability.  This  is  done 
using  a  collection  of  input  testing  fingerprints  fg  from  an  “unknown”  device  (au¬ 
thorized  or  rogue)  and  projection  matrix  W b  from  MDA/ML  training  using  Nq 
authorized  devices.  The  projected  “unknown”  fingerprint  responses  are  calculated  as 
fJv=f/jX  W  and  used  to  calculate  Nq  conditional  probabilities  representing  a  measure 
of  “how  much”  LA  looks  like  each  of  the  “authorized”  device  models.  The  resultant 
posterior  probability  vector  for  each  input  fj*  is  given  by, 


P 


P(Cl\^),P(c2\^),...,P(cN^ 


(3.21) 


and  subsequently  normalized  as, 


P 


P 


E£  p 


(3.22) 


For  ID  verification,  the  resultant  decision  is  binary  and  the  device’s  claimed  identity 
is  deemed  authentic  (rightly  or  wrongly)  when  the  normalized  a  posterior  probability 
P  in  (3.22)  meets  or  exceeds  a  predetermined  threshold: 


4  =  W,w)  >  t. 


(3.23) 


where  c  is  the  class  the  device  has  claimed  to  belong,  and  tv  is  the  verification  decision 
threshold.  If  the  posterior  probability  fails  to  meet  the  verification  decision  threshold, 
the  device  is  deemed  to  be  an  impostor/impersonator  (rightly  or  wrongly)  and  denied 
network  access. 
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The  impact  of  varying  threshold  tv  in  (3.23)  is  illustrated  using  the  represen¬ 
tative  In-Class  and  Out-of-Class  Probability  Mass  Functions  (PMF)  in  Fig.  3.4  for 
an  arbitrary  test  statistic  zv.  The  In-Class  PMF  is  generated  using  zv  for  the  case 
when  an  unknown  device  presents  proper  bit-level  credentials  matching  an  authorized 
device  and  the  unknown  device  is,  in  fact,  the  authorized  device.  The  corresponding 
in-class  probability  is  denoted  by, 


p(zv\Ci,Di)  ,  (3.24) 

where  Ci  is  the  ID  “claimed”  by  the  unknown  device  and  Di  is  the  “actual”  unknown 
device’s  ID.  The  Out-of-Class  PMF  is  generated  using  zv  for  the  case  when  an  un¬ 
known  device  falsely  presents  bit-level  credentials  of  an  authorized  device  but  is  in 
fact  a  “rogue”  device  posing  as  an  authorized  device.  The  corresponding  out-of-class 
probability  is  denoted  by, 

p^C^Df),  (3.25) 


where  j—  1,2,...,  Nc  and  ifi^j. 

Varying  the  value  of  tv  over  the  interval  of  [0, 1]  in  Fig.  3.4  yields  varying  levels 
of  network  security  which  correlate  to  achieving  either  1)  reduced  rogue  device  access 
error  (i.e. ,  reducing  the  out-of-class  shaded  area  right  of  tv)  or  2)  reduced  authorized 
device  rejection  error  (i.e.,  reducing  the  in-class  unshaded  area  left,  of  tv)  [24,53];  the 
inability  to  simultaneous  achieve  both  of  these  desired  effects  is  evident  for  the  given 
PMFs  shown  in  Fig.  3.4. 

3.5.2  GRLVQI  Processing.  As  done  for  GRLVQI  classification  in  Sec¬ 
tion  3.3.2,  composite  testing  fingerprints  fg  for  an  unknown  device  are  used  for  device 
ID  verification.  Given  the  pth  GRLVQI  prototype  vector  from  class  c  (pn’c),  four 
similarity  measures  were  considered  for  GRLVQI  processing,  including: 
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Figure  3.4:  Representative  In-Class  (unfilled)  and  Out-of-Class  (filled)  Probability 
Mass  Functions  (PMFs)  for  arbitrary  test  statistic  zv  using  a  traditional  verification 
threshold  tv  in  (3.23). 

1.  A  Weighted  Euclidean  Distance  metric  calculated  as, 


zfAn, 


c  = 


\ 


Nf 

i= 1 


n  n 

Ji -Pi 


(3.26) 


where  /*€ fa  and  p"’cGpn,c. 

2.  A  Normalized  Euclidean  Distance  metric  calculated  as, 


4(nw) _ 

(f<y  ■  vSShwc 


(3.27) 


3.  A  Spatial  Angle  metric  calculated  as, 


zev(n,c)  =  cos  1  [; Ze(n,c )]  , 


(3.28) 
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where, 


4.  A  Distance- Angle  Product  metric  calculated  directly  from  (3.27)  and  (3.28)  as, 


4\n,c )  =  z„(n,c)  x  zev(n,c)  . 


(3.29) 


Motivation:  Introduction  of  the  Distance- Angle  Product  metric  was 
motivated  by  the  fact  that  the  GRLVQI  classifier  assigns  an  unknown 
fingerprint  to  a  given  class  based  upon  minimum  distance.  The  idea  is 
to  bias  the  process  to  select  prototype  vectors  having  both  small  spatial 
angle  and  minimum  distance  to  the  unknown  fingerprint. 


The  test  statistic  mean  (/z2)  and  standard  deviation  ( az )  are  calculated  for  a 
given  zv  from  (3.26)  through  (3.29)  and  corresponding  PMFs  for  each  of  the  N: £  classes 
used  for  device  ID  verification.  A  device’s  claimed  identity  is  correctly  or  incorrectly 
verified  according  to  a  binary  decision  based  upon, 


(3.30) 


where  tv  is  the  verification  threshold  given  by 


tv  l^z  T  (h  '  Fz)  1 


(3.31) 


with  g  controlling  the  span  of  a  window  centered  about  class  mean  fiz.  The  unknown 
device  is  declared  rogue  (rightly  or  wrongly)  if  zv  falls  outside  the  verification  window. 

This  GRLVQI  verification  thresholding  process  is  illustrated  using  the  repre¬ 
sentative  In-Class  (unfilled  bars)  and  Out-of-Class  (filled  bars)  verification  PMFs  in 
Fig.  3.5  for  an  arbitrary  zv,  with  the  PMFs  generated  per  (3.24)  and  (3.25),  respec¬ 
tively.  As  with  MDA/ML-based  verification,  the  In-Class  PMF  reflects  a  measure  of 
“how  much”  current  fingerprints  from  authorized  device  c  match  the  stored  reference 
model  associated  with  the  actual/true  bit-level  credentials  for  device  c.  The  Out-of- 
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Class  PMF  reflects  a  measure  of  “how  much”  current  fingerprints  from  an  unknown 
device,  either  an  authorized  or  previously  “unseen”  rogue  device  falsely  presenting 
“claimed”  bit-level  credentials  for  device  c  that  differ  from  its  own,  matches  the  stored 
reference  model  associated  with  the  “claimed”  bit-level  credentials  for  device  c. 

GRLVQI  device  ID  verification  performance  in  Chapter  IV  is  evaluated  using 
PMFs  similar  to  those  in  Fig.  3.5  by  varying  threshold  tv(rj)  and  generating  conven¬ 
tional  verification  outcomes  (rates)  as  shown  in  Table  2.1  [20,24,53]  and  reintroduced 
here  as  Table  3.3  for  completeness.  If  the  “unknown”  device  is  an  authorized  device 
presenting  correct  bit-level  credentials,  True  Verification  Rate  (TVR)  provides  a  direct 
measure  of  the  Authorized  Device  Verification  Rate  (ADVR).  If  the  “unknown”  device 
is  a  rogue  device  presenting  false  bit-level  credentials,  the  TVR  outcome  corresponds 
to  falsely  granting  network  access  and  the  Rogue  Device  Detection  Rate  (RDDR)  can 
be  calculated  as  RDDR=1— TVR. 

Typical  rate  behavior  is  illustrated  in  Fig.  3.6  for  variation  in  tv(r)).  Rate  trade¬ 
offs  are  quantitatively  assessed  using  a  Receiver  Operating  Characteristic  (ROC)  curve 


Figure  3.5:  Representative  In-Class  (unfilled)  and  Out-of-Class  (filled)  Probability 
Mass  Functions  (PMFs)  for  arbitrary  test  statistic  zv  using  a  modified  verification 
threshold  tv  in  (3.30)  [72], 
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Table  3.3:  Verification  Outcomes  &  Rates. 


System  Declaration  (Rate) 

Actual 

Authorized 

Rogue 

Authorized 

True  Verification  (TVR) 

False  Reject  (FRR) 

Rogue 

False  Verification  (FVR) 

True  Reject  (TRR) 

and  associated  Equal  Error  Rate  (EER)  point  as  shown  in  Fig.  3.7  [34].  To  character¬ 
ize  ADVR  for  authorized  devices,  ROC  results  in  Chapter  IV  are  generated  as  TVR 
versus  False  Verification  Rate  (FVR).  For  rogue  RDDR  characterization,  ROC  results 
generated  as  TVR  versus  Rogue  Accept  Rate  (RAR). 


Presentation:  ROC  EER  points  are  presented  in  figures  for  reference 
only  and  to  enable  qualitative  visual  assessment.  They  are  not  intended 
to  represent  optimal  operating  points  for  either  the  proof-of-concept  re¬ 
sults  presented  herein  or  envisioned  operational  applications. 


Figure  3.6:  Percent  correct  (True)  and  incorrect  (False)  ID  verification  versus  thresh¬ 
old  width  (77)  [72], 
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False  Verification  Rate  (FVR) 

Figure  3.7:  ROC  curve  for  True  Verification  Rate  (TVR)  vs.  False  Verification  Rate 
(FVR)  and  corresponding  EER  point  [72], 
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IV.  Device  Classification  and  ID  Verification  Results 


This  chapter  presents  results  and  analysis  for  classification  and  verification  of 
IEEE  802. 16e  WiMAX  and  802.11a  WiFi  devices  using  the  the  Multiple  Dis¬ 
criminant  Analysis,  Maximum  Likelihood  (MDA/ML)  and  Generalized  Relevance 
Learning  Vector  Quantized-Improved  (GRLVQI)  classifiers  described  in  Section  2.3.1 
and  Section  2.3.2,  respectively.  Section  4.1  presents  results  for  802. 16e  WiMAX  de¬ 
vices  and  Section  4.2  presents  results  for  802.11a  WiFi  devices.  This  includes  classifi¬ 
cation  results  using  1)  a  full-dimensional  feature  set  in  Section  4.1.1  and  Section  4.1.2 
for  WiMAX  and  Section  4.2.1  and  Section  4.2.2  for  WiFi,  and  2)  reduced  dimensional 
feature  sets  in  Section  4.1.3  (WiMAX)  and  Section  4.2.3  (WiFi).  Section  4.1.4  and 
Section  4.2.4  present  verification  performance  results  for  both  authorized  and  rogue 
devices  operating  within  a  WiMAX  and  WiFi  network,  respectively. 

The  RF-DNA  fingerprints  used  for  demonstration  were  based  on  ID  Time  Do¬ 
main  (TD),  ID  Spectral  Domain  (SD),  2D  Gabor  Transform  (GT),  and  2D  Gabor- 
Wigner  Transform  (GWT)  features  as  indicated.  The  RF-DNA  features  were  gener¬ 
ated  from  A#=1000  signal  responses  per  device  in  accordance  with  the  methodologies 
detailed  in  Section  2.2.1  (TD),  Section  2.2.2  (SD),  and  Section  2.2.3  (GT  and  GWT). 
The  resultant  TD,  SD,  GT,  or  GWT  fingerprints  were  comprised  of  Nf  total  RF- 
DNA  features  with  the  value  of  Nf  depending  on  fingerprint  type  and  assessment 
objectives.  For  802. 16e  WiMAX  results  in  Section  4.1  and  802.11a  WiFi  results  in 
Section  4.2,  the  MDA/ML  classifier  was  implemented  using  procedures  described  in 
Section  2.3.1  and  Section  3.3.1  and  the  GRLVQI  classifier  was  implemented  using 
procedures  described  in  Section  2.3.2  and  Section  3.3.2. 

To  facilitate  direct  comparison  of  MDA/ML  and  GRLVQI  fingerprinting  tech¬ 
niques,  the  same  set  of  RF-DNA  fingerprints  (FioooxAy),  with  each  fingerprint  gener¬ 
ated  using  an  independent  Additive  White  Gaussian  Noise  (AWGN)  realization,  was 
input  to  both  classifiers.  This  enabled  reliable  comparative  assessment  based  on  95% 
Confidence  Intervals  (Cl— 95%)  using  Monte  Carlo  simulation. 
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Presentation:  To  enhance  visual  clarity  and  qualitative  assessment,  the 
Cl =95%  intervals  are  intentionally  omitted  from  all  figures.  However, 
all  figure  data  markers  (squares,  circles,  triangles,  etc.)  have  been  ap¬ 
propriately  sized  such  that  their  vertical  extent  exceeds  the  (71=95% 
interval.  Thus,  overlapping  data  markers  which  encompass  data  mean 
values  represent  statistically  identical  results  while  non-overlapping  data 
markers  represent  statistically  different  results. 


Consistent  with  common  best  practices  used  in  pattern  recognition  [48],  the 
selected  collection  of  NB— 1000  RF-DNA  fingerprints  (TD,  SD,  GT,  or  GWT)  was 
partitioned  into  two  subsets: 

1.  The  first  subset  of  F  was  used  for  classifier  training  and  validation  of  the  devel¬ 
oped  device  reference  model.  The  “best”  reference  model  (W#  for  MDA/ML 
and  Pb  for  GRLVQI)  was  selected  by  tracking  classification  during  K-fold  cross- 
validation  and  selecting  the  fold  model  that  yielded  minimum  classification  error 
(1-%C)  across  all  K=5  cross-validation  folds  and  AG=10  AWGN  realizations. 

2.  The  second  subset  of  F  was  used  for  “blind”  testing  the  classifier  to  assess  the 
“best”  model’s  (Wg  or  P#)  classification  performance  using  previously  unseen 
RF-DNA  fingerprints,  i.e. ,  fingerprints  not  used  for  classifier  training  or  valida¬ 
tion  in  Step  1.  All  results  presented  herein  are  based  on  classifier  performance 
using  the  “blind”  test  set  of  RF-DNA  fingerprints. 


The  procedures  in  Section  3.1  and  Section  3.2  were  applied  to  generate  RF-DNA 
fingerprint  sets  at  the  desired  SNR.  This  includes  extraction  of  ArB=1000  complex 
bursts  from  collected  signal  records,  down-conversion  and  digital  baseband  filtering, 
and  the  addition  of  power-scaled  AWGN  realizations  to  achieve  the  desired  Analysis 
SNRa. 


Presentation:  While  notationally  introduced  as  SNRA  for  development 
in  Chapter  III,  the  subscript  A  is  henceforth  dropped  and  SNR  simply 
used  throughout  the  remainder  of  this  chapter. 
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4-1  IEEE  802. 16e  WiMAX  Results 


WiMAX  Device  classification  and  verification  results  were  generated  using  se¬ 
lected  RF-DNA  fingerprints  extracted  from  emissions  of  six  like-model  802. 16e  WiMAX 
MS  devices-denoted  herein  as  ID  ^s  MS63A7,  MS63A9,  MS66E7,  MS6373,  MS6387, 
MSD905;  thus,  serial  number  discrimination  was  assessed.  The  procedures  in  Sec¬ 
tion  3.1  and  Section  3.2  were  applied  to  generate  RF-DNA  fingerprint  sets  having  a 
total  of  Ars=1000  complex  bursts  per  device.  In  accordance  with  Section  3.2,  the  col¬ 
lected  signals  were  digitally  filtered,  individual  bursts  detected  and  removed  from  the 
overall  collection  record,  and  the  SNR  scaled  to  achieve  the  desired  Analysis  SNRa . 

Assessment  results  in  this  chapter  are  for  SNRe[— 3.0,  27.0]  dB  in  3.0  dB  incre¬ 
ments,  with  the  SNR  scaling  process  was  repeated  Nz= 10  times  to  ensure  sufficient 
statistical  significance  for  Monte  Carlo  analysis.  For  WiMAX  assessment,  the  full¬ 
dimensional  TD,  SD,  GT,  or  GWT  fingerprints  were  comprised  of  Nf— [72,  24,  204,  204], 
Results  are  first  presented  for  full-dimensional  RF-DNA  fingerprinting  in  Section  4.1.1 
and  Section  4.1.2  followed  by  reduced  dimensional  fingerprinting  results  in  Section  4.1.3. 

4-1.1  Full  Dimensional  WiMAX  Classification:  MDA/ML.  Figure  4.1 
shows  cross-device  average  and  individual  device  MDA/ML  Correct  Classification  Per¬ 
centage  (%C)  using  TD,  SD,  GT,  and  GWT  RF-DNA  fingerprints  for  SNR&[— 3.0,  27.0]  dB. 
Figure  4.1(a)  shows  MDA/ML  performance  using  TD  RF-DNA  fingerprints  ( Nf=72 
features)  and  reflects  1)  cross-device  average  classification  performance  of  %C>90% 
for  SNR>15.0  dB,  and  2)  individual  device  %C>90%  for  5  of  6  WiMAX  MS  devices. 

As  indicated  in  Fig.  4.1(b),  performance  with  SD  RF-DNA  features  is  considerably 
poorer  with  %C>90%  achieved  for  only  one  device  (MSD905)  at  SNR>  12.0  dB.  Fig¬ 
ure  4.1(c)  and  Fig.  4.1(d)  present  performance  using  joint  T-F  domain  fingerprints 
generated  using  GT  and  GWT  features,  respectively.  From  a  cross-device  average 
perspective,  GT  features  are  superior  with  %C>90%  achieved  for  SNR>7.5  dB.  This 
represents  a  “gain”  of  4.5  dB  relative  to  GWT  RF-DNA  fingerprinting  which 
requires  SNR>  12.0  dB  to  achieve  average  performance  of  %C>90%. 
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Definition:  Gain  (Gp):  Reduction  in  required  SNR,  in  dB,  for  two 
methods  to  achieve  a  given  %C  classification  performance. 

The  superiority  of  GT  features  is  also  evident  when  analyzing  individual  device 
performances.  GT  feature  results  in  Fig.  4.1(c)  show  that  all  devices  achieve  the 
%C>90%  benchmark  for  SNR>12.0  dB.  This  is  in  sharp  contrast  to  GWT  results 
in  Fig.  4.1(d)  which  show  that  two  devices  (MS63A7  and  MS66E7)  never  reach  the 
%C>90%  benchmark  for  all  SNR  considered.  Based  upon  results  in  Fig.  4.1,  it  is  con¬ 
cluded  that  GT  RF-DNA  features  are  the  best  alternative  for  achieving  serial  number 
classification  of  802. 16e  WiMAX  MS  devices  when  using  MDA/ML  processing. 


General:  The  underlying  factors  for  GT  feature  superiority,  relative  to 
what  is  achieved  with  GWT  features,  was  not  of  primary  interest.  Recall 
that  GWT  features  were  introduced  as  a  means  to  assess  linear  versus 
non-linear  feature  performance  in  a  multipath  environment. 


Note:  The  superiority  of  GT  fingerprinting  in  Fig.  4.1  is  not  attributable 
to  the  larger  number  of  full- dimensional  features  being  used.  This  is 
subsequently  demonstrated  using  DRA  in  Section  4.1.3. 


4-1.2  Full- Dimensional  WiMAX  Classification:  GRLVQI.  Full- dimensional 
GRLVQI  classification  performance  was  assessed  using  the  same  six  WiMAX  MS  de¬ 
vices  used  for  classification  assessment  in  Section  4.1.1.  Individual  device  as  well  as 
average  GRLVQI  %C  performance  using  TD,  SD,  GT,  and  GWT  RF-DNA  finger¬ 
prints  at  SNRe[— 3.0,  27.0]  dB  is  shown  in  Fig.  4.2.  For  TD  RF-DNA  fingerprints, 
two  of  six  individual  WiMAX  MS  devices  (MS634A7  and  MSD905)  achieve  90%  or 
better  correct  classification  at  SNR>9.0  dB.  Classification  of  MS6387  is  individually 
classified  correctly  at  90%  for  15<S'Ari?>21.0  dB;  however,  individual  classification 
of  the  remaining  WiMAX  devices  fails  to  achieve  %C=90%  using  TD  RF-DNA  fin¬ 
gerprints,  Fig.  4.2(a).  Average  GRLVQI  classification  using  TD  fingerprints  is  90% 
or  better  for  S7Vi?>24.0  dB.  Figure  4.2(b)  illustrates  individual  device  and  average 
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%  Correct  %  Correct 


(a)  Time  Domain  (TD):  Nf =72. 


(b)  Spectral  Domain  (SD):  N/= 24. 


(c)  Gabor  Transform  (GT):  Nf= 204 


(d)  Gabor-Wigner  Transform  (GWT):  A^=204 


Figure  4.1:  Full-Dimensional  MDA/ML  classification  performance  using  TD,  SD,  GT 
and  GWT  RF-DNA  features  from  six  802. 16e  WiMAX  devices  [76]. 
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classification  performance  using  SD  RF-DNA  fingerprints.  The  GRLVQI  classifier 
correctly  identifies  device  MSD905  with  %C=90%  certainty  for  SNR>  15.0  dB.  All 
other  individual  devices  as  well  as  average  classification  performance  fails  to  achieve 
the  %C=90%  benchmark.  Figure  4.2(c)  provides  an  illustration  of  individual  as  well 
as  average  device  GRLVQI  classification  performance  using  GT-based  RF-DNA  fin¬ 
gerprints.  Individual  device  classification  performance  is  90%  or  better  for  all  WiMAX 
MS  devices,  except  MS6373,  for  SNR>  15.0  dB.  MSD905  is  corretly  classified  at  90% 
or  better  for  all  investigated  SNRs.  Average  device  classification  performance  is  90% 
or  better  for  SNR>  12.0  dB. 

GRLVQI  individual  and  average  device  classification  performance,  using  GWT 
RF-DNA  fingerprints,  is  shown  in  Fig.  4.2(d).  As  with  GT  fingerprint  classifica¬ 
tion  performance,  MSD905  is  correctly  identified  at  a  rate  of  90%  or  better  for 
SNRe[— 3.0, 27.0]  dB.  In  comparison  to  GT-based  classification  results,  individ¬ 
ual  classification  of  MS66E7  using  GWT  RF-DNA  fingerprints  never  achieves  the 
%C=90%  benchmark;  representing  a  performance  degradation.  The  average  device 
classification  performance  suffers  a  3.0  dB  loss,  dropping  from  SNR— 12.0  to  15.0  dB, 
when  switching  from  GT  to  GWT  RF-DNA  fingerprints.  Results  in  Fig.  4.2  illustrate 
that  GRLVQI  classification  using  GT  RF-DNA  fingerprints  provides  the  best  means 
for  achieving  serial  number  classification  of  802. 16e  WiMAX  MS  devices. 

Note:  The  superiority  of  GT  fingerprinting  in  Fig.  4.2  is  not  attributable 
to  the  larger  number  of  full- dimensional  features  being  used.  This  is 
subsequently  demonstrated  using  DRA  in  Section  4.1.3. 

Figure  4.3  provides  a  direct  comparison  between  average  device  classification 
performance  of  the  MDA/ML  and  GRLVQI  classifiers.  Clearly  MDA/ML  results  in 
the  best  average  classification  performance;  however,  GRLVQI  classifier  performance 
is  within  10%  of  the  MDA/ML  results.  Although  GRLVQI  does  not  achieve  the 
same  degree  of  individual  and  average  device  classification  performance,  as  that  of 
MDA/ML,  it  addresses  one  key  shortfall  of  the  MDA/ML  classifier  in  that  GRLVQI 
provides  a  direct  measure  of  how  much  each  individual  feature,  that  comprise  an 
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%  Correct  %  Correct 


(a)  Time  Domain  (TD):  Nf =72 


(b)  Spectral  Domain  (SD):  Nf =24 
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(c)  Gabor  Transform  (GT):  Nf=204  [72]  (d)  Gabor-Wigner  Transform  (GWT):  Nf=204) 


Figure  4.2:  Full-Dimensional  GRLVQI  classification  performance  using  TD,  SD,  GT 
and  GWT  RF-DNA  features  from  six  802. 16e  WiMAX  devices. 
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Figure  4.3:  Cross-device  average  MDA/ML  and  GRLVQI  classification  performance 
for  802. 16e  WiMAX  devices  using  Gabor  Transform  (GT)  RF-DNA  features. 

RF-DNA  fingerprint,  contributes  to  a  classification  decision.  This  measure  of  feature 
contribution  is  defined  as  its  relevance  ranking,  as  defined  in  Section  2.3.2,  and  enables 
Dimensionality  Reduction  Analysis  (DRA). 

4-1.3  DRA  Impact  on  WiMAX  Classification.  This  section  provides  Di¬ 
mensionality  Reduction  Analysis  (DRA)  results  using  the  four  strategies  for  selec¬ 
tion  of  the  “best”  ranked  dimensionally  reduced  feature  sets  as  described  in  Sec¬ 
tion  3.4.  Prior  to  generation  of  MDA/ML  and  GRLVQI  classification  performance 
for  SNRe[— 3.0,  27.0]  dB,  an  initial  assessment  was  performed  using  relevance  values 
selected  using  (3.17)  for  SNR— 12.0  dB  (j= 6)  to  assess  DRA  impact  on  classification 
performance.  Initial  DRA  impact  on  device  classification  was  assessed  using  three 
reduced  subsets  selected  using  the  relevance  values  Af/e/6(Af//,  06)  and  comprised  of 
the: 

1.  Highest  ranked  10%  features  (DRAi=  90%). 
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Figure  4.4:  GRLVQI  A i  relevance  values  for  highest  ranked  10%  (squares)  and  second- 
highest  ranked  10%  (triangles)  at  SNR=12.0  dB  [72], 


2.  Second  highest  ranked  10%  features  (DRA2=90%). 

3.  Highest  ranked  20%  features-union  of  DRAX  and  DRA2  (DRA3=80%). 


Corresponding  A j  values  for  the  two  10%  subsets  extracted  from  Fig.  3.2  are 
shown  in  Fig.  4.4.  It  is  clear  that  the  A*  values  for  the  second- highest  ranked  10% 
are  much  lower  than  the  highest  ranked  10%;  thus  indicating  that  these  features 
contribute  very  little  to  the  classification  decision. 

Based  upon  the  full-dimensional  classification  results  presented  in  Section  4.1.1 
and  Section  4.1.2,  GT-based  RF-DNA  fingerprints  extracted  from  WiMAX  near¬ 
transient  responses  are  used  to  assess  the  effectiveness  of  the  GRLVQI  classifier’s 
assigned  feature  rankings  A^.  The  effectiveness  of  the  GRLVQI  feature  ranking  pro¬ 
cess  is  illustrated  in  Fig.  4.5(a)  which  shows  GRLVQI  device  classification  perfor¬ 
mance  for  the  reduced-feature  subsets  described  above,  as  well  as  performance  using 
all  Nj= 204  features.  Approximate  computation  times  are  shown  along  the  horizontal 
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axis  in  parenthesis  for  each  case.  Based  upon  these  results  it  is  clearly  evident  that 
the  GRLVQI  process  is  very  effective  in  ranking  relevant  classification  features.  This 
conclusion  is  reinforced  by  several  observations: 

1.  Performance  with  the  20  highest  ranked  (top  10%)  features  is  statistically  equiv¬ 
alent  to  full-dimensional  performance  and  yields  a  significant  10  x  reduction  in 
required  computation  time. 

2.  Performance  with  the  second- highest  20  ranked  features  is  considerably  poorer 
than  that  of  full-dimensional  performance,  with  device  classification  degrading 
by  5%  to  30%. 

3.  Performance  using  the  highest  40  ranked  features  is  statistically  equivalent  to 
performance  using  the  highest  20  ranked  features.  This  suggests  that  the  addi¬ 
tional  20  features  are  either  irrelevant  or  contain  redundant  information  and  a 
2x  processing  penalty  is  incurred. 

As  a  final  independent  assessment  of  GRLVQI  DRA  effectiveness,  the  identical 
reduced  feature  sets  were  used  with  the  MDA/ML  classifier  described  in  Section  2.3.1. 
Reduced  dimension  MDA/ML  classification  results  are  presented  in  Fig.  4.5(b)  along 
with  full- dimensional  results  for  comparison.  With  regard  to  classification  perfor¬ 
mance,  MDA/ML  results  and  conclusions  are  consistent  with  GRLVQI  results  in 
Fig.  4.5(a).  However,  MDA/ML  results  using  the  highest  ranked  10%  features  only 
required  approximately  1/300^'  of  the  GRLVQI  computation  time.  The  added  “in¬ 
sight”  that  GRLVQI  provides  is  clearly  beneficial,  but  it  does  come  at  a  cost. 

The  patches  providing  greatest  discriminating  information  are  highlighted  in 
Fig.  4.6.  This  figure  shows  the  T-F  responses  for  arbitrary  bursts  from  each  of  the  six 
authorized  devices  (MS63A7,  MS63A9,  MS66E7,  MS6373,  MS6387,  MSD905).  The 
red  rectangles  identify  patch  locations  containing  the  highest  ranked  10%  features  as 
shown  in  Fig.  4.4  and  used  to  generate  results  in  Fig.  4.5.  As  indicated,  discrimination 
is  not  solely  obtained  from  information  contained  in  T-F  patches  containing  higher 
level  signal  responses. 
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100 


(a)  GRLVQI  Processing 


(b)  MDA/ML  Processing 


Figure  4.5:  WiMAX  Dimensional  Reduction  Analysis  (DRA):  Full-dimensional  (All) 
vs.  three  DRA  feature  sets  comprised  of  highest  ranked  10%  (Top  20),  highest  ranked 
20%  (Top  40),  and  second-highest  ranked  10%  (2nd  20)  features  at  SNR=12.0  dB  [72], 
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Figure  4.6:  Gabor  T-F  responses  for  Nc— 6  WiMAX  devices:  Rectangular  patches 
identify  regions  containing  the  highest  ranked  10%  (Top  20)  features  in  Fig.  4.4.  One 
representative  response  shown  per  device  [72], 
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1.  DRA  Method  #1:  Individual  WiMAX  MS  device  classification  performance 
using  the  DRA  Method  fil  feature  subset -top  20  ranked  features  selected 
using  relevance  ranking  at  a  single  SNR ,  (3.17),  is  shown  in  Fig.  4.7.  For 
SNR>15.0  dB,  individual  device  classification  is  80%  or  better  using  the  GR- 
LQVI  and  MDA/ML  classifiers.  Average  device  classification  is  90%  or  better 
for  both  classifiers  at  SNR>12.0  dB. 

2.  DRA  Method  #2:  Figure  4.8  shows  individual  WiMAX  MS  device  classifica¬ 
tion  performance  using  the  DRA  Method  ^2  feature  selection  technique-top  20 
ranked  features  selected  using  the  relevance  rankings  at  each  SNR ,  (3.18).  Indi¬ 
vidual  device  classification  is  80%  or  better  using  the  GRLQVI  and  MDA/ML 
classifiers  for  SNR>15.0  dB.  These  results  are  comparable  to  those  of  DRA 
Method  #1. 

3.  DRA  Method  #3:  Figure  4.9  shows  individual  WiMAX  MS  device  classification 
performance  using  the  DRA  Method  #3  feature  subset -top  20  ranked  features 
are  chosen  from  the  average  relevance  ranking  computed  across  all  SNR ,  (3.19). 
Individual  device  classification  is  80%  or  better  for  the  GRLVQI  classifier  at 
SNR>15.0  dB.  The  MDA/ML  classifier  achieves  an  individual  device  classifi¬ 
cation  performance  for  five  of  the  six  MS  of  80%  or  better  for  SNR>9.0  dB. 
Unlike  the  previous  two  DRA  methods,  there  are  two  notable  observations  from 
the  DRA  Method  #3: 

(a)  GRLQVI  classifier  performance  is  improved  when  compared  with  that  of 
DRA  Method  #1  and  Method  #2. 

(b)  MDA/ML  performance  is  much  better  for  five  of  the  six  MS  devices  than 
that  of  DRA  Method  fi2. 
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(a)  GRLVQI  Processing 


(b)  MDA/ML  Processing 


Figure  4.7:  DRA  Method  #1:  Device  classification  performance  with  the  top  20 
ranked  features  selected  by  (3.17). 
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Figure  4.8:  DRA  Method  #2\  Device  classification  performance  with  top  20  ranked 
features  selected  using  (3.18). 
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Observation:  For  operational  network  security,  DRA  Method  #3  pro¬ 
vides  a  means  for  determining  a  single,  SNR  independent  set  of  features 
that  can  be  used  to  discriminate  devices  under  varying  channel  condi¬ 
tions.  This  simplifies  system  implementation  and  mitigates  the  need  to 
estimate  SNR  in  real-time  applications. 

4.  DRA  Method  $4:  Individual  WiMAX  MS  device  classification  performance 
using  the  DRA  Method  ^4  feature  subset  is  shown  in  Fig.  4.10  where  the  top  20 
ranked  features  are  selected  the  union  of  the  relevance  rankings  across  all  SNR , 
(3.20).  GRLVQI  classification  performance  is  80%  or  better  for  all  individual 
devices  for  SNR>15.0  dB.  When  compared  with  DRA  Method  #3,  GRLVQI 
performance  is  slightly  degraded  for  MS6373  and  MS66E7  for  SNR>21.0  dB. 
There  is  also  a  degradation  of  MDA/ML  performance  with  respect  to  MS66E7 
at  12>SNR<21.0  dB.  However,  DRA  Method  #4  provides  the  same  benefit 
as  DRA  Method  ^3  in  that  a  single  set  of  SNR  independent  features  can  be 
selected  to  provide  device  classification. 

Figure  4.11  provides  a  direct  comparison  of  average  cross-device  classification 
performance  for  a  full- dimensional  feature  set  and  results  for  four  DRA  sets  from 
Fig.  4.7  -  Fig.  4.10.  Figure  4.11(a)  shows  that  GRLVQI  processing  with  all  four  DRA 
selection  methods  yields  average  performance  that  is  comparable  to  full- dimensional 
results.  For  MDA/ML  processing,  Fig.  4.11(b)  shows  that  none  of  the  DRA  se¬ 
lection  methods  yield  results  matching  full-dimensional  performance,  with  1)  DRA 
Method  #1  being  superior  to  all  other  methods  for  SNR>15.0  dB,  and  2)  all  four 
DRA  methods  being  within  %C*~±5.0%  of  one  another  for  SNR<15.0  dB.  Based 
upon  these  results  and  the  observation  that  DRA  Method  ^3  provides  a  means  for 
determining  a  single,  SNR  independent  set  of  RF-DNA  features,  all  subsequent  DRA 
results  are  generated  using  reduced  feature  sets  selected  by  DRA  Method  #3. 

4-1-4  WiMAX  Device  ID  Verification.  For  device  ID  verification,  a  total 
of  twelve  WiMAX  MS  devices  are  used.  The  six  previously  used  for  device  classi¬ 
fication  are  designated  as  “authorized”  network  devices  and  the  remaining  six  MS 
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(a)  GRLVQI  Processing 


(b)  MDA/ML  Processing 


Figure  4.9:  DRA  Method  #3\  Device  classification  performance  with  top  20  ranked 
feature  selected  using  (3.19). 
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(a)  GRLVQI  Processing 


(b)  MDA/ML  Processing 


Figure  4.10:  DRA  Method  #4'-  Device  classification  performance  with  top  20  ranked 
feature  selected  using  (3.20). 
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(a)  GRLVQI  Processing 


(b)  MDA/ML  Processing 


Figure  4.11:  Overlay  of  average  cross-device  Classification  performance  for  a  full¬ 
dimensional  feature  set  and  results  for  four  DRA  sets  from  Fig.  4.7  -  Fig.  4.10. 
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(ID  #s  MS637D,  MS9993,  MSC2FF,  MSDAB9,  MSDAC5,  MSDDBF)  are  designated 
as  “rogue”  network  devices.  These  “rogue”  devices  are  used  to  assess  device  verifica¬ 
tion  performance  for  the  case  where  a  previously  unseen  device  (not  present  during 
classifier  training)  falsely  presents  a  bit-level  identity  matching  an  authorized  device 
and  attempts  to  gain  network  access  by  posing  as  an  authorized  device. 

4.I.4.I  MDA/ML  Processing.  As  in  [20,29,71],  WiMAX  device  ID 
verification  performance  is  assessed  using  full-dimensional  GT  RF-DNA  fingerprints 
and  the  Normalized  Posterior  Probability  verification  test  statistic  zv  generated  per 
(3.22)  in  Section  3.5.1.  Individual  verification  performance  for  the  six  authorized 
WiMAX  MS  devices  (ID  #s  MS63A7,  MS63A9,  MS66E7,  MS6373,  MS6387,  MSD905) 
at  SNR=6.0  dB  is  shown  in  Fig.  4.12.  As  described  in  Section  2.4  and  Section  3.5.1, 
the  ROC  curves  are  formulated  by  testing  the  verification  performance  using  each 
authorized  device’s  claimed  bit-level  identity  (MAC  address)  against  their  known  true 
identity.  This  true  identity  is  the  “best”  case  model  (minimum  average  classification 
error)  resulting  from  the  MDA/ML  classifier  training  process.  The  individual  ROC 
curves  provide  an  illustration  of  the  trade-off  that  exists  between  network  security 
and  receptiveness  as  the  threshold  tv  is  varied  for  a  selected  device  [20] . 

Figure  4.12  shows  that  for  an  arbitrary  EER<10%  benchmark  is  achieved  for 
all  six  of  the  authorized  devices.  Devices  MSD905  and  MS66E7  achieved  the  highest 
and  poorest  EERs  of  0%  and  0.05%  at  SNR= 6.0  dB,  respectively.  The  ROC  curves 
for  the  two  WiMAX  MS  devices  that  resulted  in  the  best  case  (Fig.  4.13(a))  and  worst 
case  (Fig.  4.13(b))  device  classification  performance  for  SNR=[0.0,  3.0,  6.0]  dB  are 
shown  in  Fig.  4.13.  At  SNR=0.0  dB,  these  figures  show  that  the  poorest  EER  occurs 
for  MS66E7  with  a  value  of  approximately  0.23%.  The  verification  results  for  the 
remaining  four  WiMAX  MS  devices  (ID  ^s  MS63A7,  MS63A9,  MS6373,  MS6387) 
are  shown  in  Fig.  A.l  of  Appendix  A.l. 

4-1.4-2  GRLVQI  Processing.  Based  upon  the  results  presented  in 
Section  4.1.3,  GRLVQI-based  device  ID  verification  is  performed  using  dimensionally 
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Figure  4.12:  MDA/ML  verification  ROC  curves  for  WiMAX  MS  devices  using  the 
Normalized  Posterior  Probability  test  statistic  and  Gabor  Transform  (GT)  RF-DNA 
features  at  SNR= 6.0  dB  [71]. 


reduced  GT  RF-DNA  Fingerprints  in  which  the  top  20  features  are  selected  by  DRA 
Method  #4:  (3.20).  As  with  MDA/ML-based  device  ID  verification  results,  presented 
in  Section  4. 1.4.1,  ROC  curves,  created  from  the  rates  shown  in  Table  2.1  and  an 
arbitrary  benchmark  of  EER<10%,  are  used  to  quantify  verification  performance.  In 
accordance  with  Section  3.5.2,  the  verification  test  statistic  zv  is  generated  using  one 
of  four  similarity  measures,  including:  Euclidean  Distance  (d®)  per  (2.29),  Normalized 
Euclidean  Distance  (d®)  per  (3.27),  Spatial  Angle  ( 9S )  per  (3.28),  and  Spatial  Angle- 
Times- Normalized  Euclidean  Distance  ( dsxd^ )  per  (3.29). 

Device  ID  verification  is  performed  using  the  set  of  Nq  —  6  Authorized  WiMAX 
devices  used  for  classification  results  presented  at  the  beginning  of  Section  4.1.  Fig¬ 
ure  4.14  shows  individual  Authorized  device  verification  performance  using  each  of 
the  four  similarity  measures.  Results  in  Fig.  4.14(a)  and  Fig.  4.14(b)  represent  in¬ 
dividual  Authorized  device  verification  performance  using  the  distance-only  d^  and 
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(a)  Best  Case:  Device  ID  #MSD905. 


(b)  Worst  Case:  Device  ID  #MS66E7. 


Figure  4.13:  MDA/ML  verification  ROC  curves  for  best  case  and  worst  case  WiMAX 
MS  devices  using  the  Normalized  Posterior  Probability  test  statistic  and  Gabor  Trans¬ 
form  (GT)  RF-DNA  features  at  SNR=[0.0,  3.0,  6.0]  dB  [71]. 
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dE  test  statistics,  respectively.  These  two  test  statistics  yielded  poorest  Authorized 
device  verification  performance  and  failed  to  achieve  an  arbitrary  Authorized  Device 
Verification  Rate  (ADVR)  of  ADVR>90%  (EER<10%)  for  2  of  6  authorized  devices 
where  ADVR  equals  the  True  Verification  Rate  (TVR)  shown  in  the  ROC  curves. 
For  both  cases,  poorest  performance  is  indicated  for  authorized  device  ID  ^MS66E7 
which  would  be  denied  network  access  nearly  20%  of  the  time.  In  an  effort  to  obtain 
the  arbitrary  EER<10%  benchmark  for  all  authorized  devices,  verification  is  per¬ 
formed  using  test  statistics  generated  from  the  Spatial  Angle  and  the  product  of  the 
Spatial  Angle  and  Normalized  Euclidean  Distance  similarity  measure. 

Results  in  Fig.  4.14(c)  and  Fig.  4.14(d)  represent  authorized  device  verification 
ROC  curves  using  the  spatial  angle  and  product  of  the  spatial  angle  and  normalized 
Euclidean  distance  based  test  statistics.  Both  test  statistics  achieve  the  arbitrary 
EER<10%  benchmark  for  all  six  of  the  authorized  devices.  The  product  of  the  spa¬ 
tial  angle  and  normalized  Euclidean  distance  offers  some  improvement  over  spatial 
angle  only  in  that  5  of  the  six  devices  achieves  an  EER<0.10%. 

The  ability  to  verify  authorized  network  devices  only  addresses  one  aspect  of  the 
network  security  problem.  The  other  important  aspect  is  the  rogue  device  rejection 
capability.  In  this  case,  previously  unseen  “rogue”  devices  endeavor  to  gain  unau¬ 
thorized  network  access  by  posing  as  an  authorized  device.  This  is  done  by  falsely 
presenting  bit-level  credentials  matching  an  authorized  device  identity.  This  work 
has  designated  devices  that  perform  such  nefarious  acts  as  Rogue  devices.  There¬ 
fore,  an  additional  set  of  N^= 6  Rogue  WiMAX  devices  (ID#s  MS637D,  MS9993, 
MSC2FF,  MSDAB9,  MSDAC5,  MSDDBF)  are  used  to  test  the  effectiveness  of  the 
developed  device  ID  verification  process.  Each  of  the  Nfi=6  Rogue  WiMAX  devices 
falsely  presents  the  bit-level  ID  for  each  of  the  N^=6  Authorized  WiMAX  devices; 
thus,  representing  a  total  of  36  attempts  at  gaining  unauthorized  network  access.  Of 
the  six  rogue  devices,  MS637D  provided  the  greatest  challenge  to  successful  device 
verification.  Figure  4.15  shows  the  verification  results  for  the  case  of  MS637D  posing 
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False  Verification  Rate  (FVR) 


False  Verification  Rate  (FVR) 


(a)  Euclidean  Distance  (d#). 


(b)  Normalized  Euclidean  Distance  (de). 


False  Verification  Rate  (FVR) 


False  Verification  Rate  (FVR) 


(c)  Spatial  Angle  (ds). 


(d)  Angle-Times-Distance  (dsxd£)  [72]. 


Figure  4.14:  GRLVQI  verification  ROC  curves  for  N£= 6  Authorized  WiMAX  MS  de¬ 
vices  using  Gabor  Transform  (GT)  RF-DNA  features  at  SNR=18.0  dB  and  indicated 
similarity  measures  per  Section  3.5.2. 
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as  each  of  the  authorized  devices.  Results  in  Fig.  4.15(a)  and  Fig.  4.15(b)  show  that 
MS637D  would  gain  network  access  approximately  25%  of  the  time  when  claiming 
the  bit-level  identity  of  authorized  device  MS6387  and  the  Euclidean  or  Normalized 
Euclidean  Distances  are  used  as  the  test  statistic  zv.  Figure  4.15(c)  illustrates  that  the 
Spatial  Angle  test  statistic  results  in  MS637D  being  verified  as  MS6373,  MS6387,  and 
MS66E7  at  rates  of  approximately  25%,  30%,  and  42%,  respectively.  This  represents 
the  poorest  case  of  rogue  device  verification.  Rogue  device  verification,  for  MS637D, 
based  upon  the  product  of  spatial  angle  and  normalized  Euclidean  distance  is  shown 
in  Fig.  4.15(d).  For  this  case,  MS637D  is  verified  as  authorized  device  MS6387  ap¬ 
proximately  30%  of  the  time.  When  considering  both  authorized  and  rogue  device 
verification  performance,  the  product  of  the  spatial  angle  and  normalized  Euclidean 
distance  test  statistic  provides  the  best  means  of  permitting  authorized  device  ac¬ 
cess  while  simultaneously  denying  rogue  devices.  Using  the  angle-distance  product, 
Fig.  4.16  shows  resultant  ROC  and  EER  results  representing  a  total  of  36  rogue  de¬ 
vice  detection  scenarios  where  each  of  the  Nq  =  6  Rogue  devices  present  false  bit-level 
credentials  for  each  of  the  Nq—  6  authorized  devices.  As  indicated  by  the  dashed  line, 
Rogue  device  ID  ^MS637D  provides  the  greatest  security  risk  when  presenting  false 
bit-level  credentials  matching  authorized  device  ID  ^MS6387  [72],  The  remaining 
device  verification  results  for  all  the  test  statistics  and  the  remaining  Nq—5  Rogue 
devices  are  presented  in  Appendix  A.l. 


Observation:  The  benefits  of  GT-based  RF-hngerprints  and  DRA  fea¬ 
ture  selection  method  #3  are  leveraged  for  the  802.11a  WiFi  results. 
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Rogue  Accept  Rate  (RAR) 
(a)  Euclidean  Distance  (d#). 


Rogue  Accept  Rate  (RAR) 

(b)  Normalized  Euclidean  Distance  (dg). 


Rogue  Accept  Rate  (RAR) 
(c)  Spatial  Angle  (0S). 


Rogue  Accept  Rate  (RAR) 

(d)  Spatial  Angle-Times-Normalized  Eu¬ 
clidean  Distance  (9S  x  ds  )  [72]. 


Figure  4.15:  GRLVQI  verification  ROC  curves  for  N^=  6  Rogue  WiMAX  MS  devices 
using  Gabor  Transform  (GT)  RF-DNA  features  at  SNR= 18.0  dB  and  indicated  sim¬ 
ilarity  measures  per  Section  3.5.2. 
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Figure  4.16:  GRLVQI  verification  ROC  curves  for  Nfi=6  Rogue  devices  present¬ 
ing  false  bit-level  credentials  for  each  of  the  Njj=6  authorized  devices  (36  total 
rogue  scenarios  represented)  using  Gabor  Transform  (GT)  RF-DNA  features  at 
SNR= 18.0  dB  [72], 


4-2  IEEE  802.11a  WiFi  Results 

As  described  in  Section  3.3  ( classification )  and  Section  3.5  (verification) ,  results 
were  generated  using  RF-DNA  fingerprints  extracted  from  802.11a  WiFi  preamble 
emissions-the  same  emissions  used  previously  for  Dual  Tree  Complex  Wavelet  Trans¬ 
form  (DT-CWT)  results  in  [56,57].  Following  the  procedure  outlined  in  Section  3.1, 
collections  for  each  of  the  Nq= 4  WiFi  devices  to  ensure  a  total  of  1V£=1000  complex 
bursts  per  device.  The  collected  signals  were  subsequently  digitally  filtered,  individual 
bursts  detected  for  removal  from  the  overall  collection  record,  and  the  SNR  scaled 
per  Section  3.2. 

Assessment  results  in  this  section  are  for  SNR^[— 3.0,  27.0]  dB  in  3.0  dB  in¬ 
crements,  with  the  SNR  scaling  process  was  repeated  Nz—10  times  to  ensure  suffi¬ 
cient  statistical  significance  for  Monte  Carlo  analysis.  For  WiFi  assessment,  the  full¬ 
dimensional  TD,  SD,  GT,  or  GWT  fingerprints  were  comprised  of  Nf— [117,  33, 363, 363] 
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Results  are  first  presented  for  full-dimensional  RF-DNA  fingerprinting  in  Section  4.2.1 
and  Section  4.2.2  followed  by  reduced  dimensional  fingerprinting  results  in  Section  4.2.3 
As  with  WiMAX  processing  in  Section  4.1,  Cl =95%  confidence  interval  analysis  was 
facilitated  through  the  use  of  iV2=10  AWGN  realizations  per  SNR  with  the  intervals 
once  again  omitted  in  all  data  plots  to  enhance  visual  clarity. 

WiFi  device  classification  results  are  based  on  four  like-model  devices  from  the 
same  manufacturer  having  different  serial  numbers-denoted  herein  as  ID  N4U9, 
N4UD,  N4UW,  N4PX;  thus,  representing  serial  number  discrimination.  Each  of  the 
RF-DNA  fingerprint  sets  (TD,  SD,  GT,  and  GWT)  was  divided  into  two  subsets. 
Training  of  the  classifier  and  validation  of  the  developed  model  is  performed  using 
the  first  subset.  While  the  classifier  is  trained,  the  “best”  reference  model  is  selected 
and  stored  by  tracking  the  model  that  results  in  the  lowest  classification  error  across 
all  K=5  cross-validation  folds  and  iVz=10  noise  realizations.  The  second  subset  is 
used  to  perform  a  “blind”  test  of  classification  performance  capability  using  the  se¬ 
lected  “best”  reference  model.  Best  practice  pattern  recognition  processes  suggest  the 
use  of  such  data  partitioning  techniques  [48].  The  “blind”  test  classification  results 
are  presented  here  using  both  full  dimensional  RF-DNA  fingerprints  in  Section  4.2.1 
and  Section  4.2.2  while  reduced  dimensional  RF-DNA  fingerprints  are  presented  in 
Section  4.2.3. 

4-2.1  Full- Dimensional  WiFi  Classification:  MDA/ML.  MDA/ML  clas¬ 
sification  results  using  the  full- dimensional  “blind”  RF-DNA  fingerprint  subset  are 
shown  in  this  section.  Individual  device  and  average  MDA/ML  percent  correct  clas¬ 
sification  performance  for  all  four  RF-DNA  fingerprint  creation  techniques,  across 
SNRg{— 3.0,  27.0]  dB,  are  shown  in  Fig.  4.17.  TD  RF-DNA  fingerprint  results  are 
shown  in  Fig.  4.17(a)  and  illustrates  that  average  percent  correct  classification  perfor¬ 
mance  is  90%  for  SNR= 27.0  dB.  Individual  device  classification  performance,  using 
TD  fingerprints,  meets  or  exceeds  90%  for  3  of  the  4  investigated  devices  at  the  highest 
SNR.  Individual  MDA/ML  classification  performance,  using  SD  RF-DNA,  is  90% 
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or  better  for  devices  N4PX  and  N4UD  at  SNR>  12.0  dB,  Fig.  4.17(b).  Average  SD 
RF-DNA  classification  performance  is  90%  or  better  at  SNR>18.0  dB.  Joint  time- 
frequency  domain  individual  device  and  average  classification  performance  is  shown 
for  GT  and  GWT  RF-DNA  fingerprints  in  Fig.  4.17(c)  and  Fig.  4.17(d),  respectively. 
For  GWT  RF-DNA,  only  two  of  the  four  devices  (ID  #s  N4UD,  N4PX)  achieve  an  in¬ 
dividual  classification  percent  correct  performance  of  90%  or  better  at  SN  R>12.0  dB, 
and  average  classification  performance  is  90%  or  better  for  SNR>21.0  dB.  Using  GT 
RF-DNA  fingerprints,  the  MDA/ML  classifier  obtains  an  individual  device  and  aver¬ 
age  classification  performance  of  90%  or  better  at  SNR>12.0  dB  and  SNR=9.0  dB, 
respectively.  These  results  show  that  GT-based  RF-DNA  fingerprinting  provides  the 
best  means  of  achieving  serial  number  discrimination  of  802.11a  WiFi  devices. 


Note:  The  superiority  of  GT  fingerprinting  in  Fig.  4.17  is  not  at¬ 
tributable  to  the  larger  number  of  full-dimensional  features  being  used. 

This  is  subsequently  demonstrated  using  DRA  in  Section  4.2.3. 

Figure  4.18  provides  a  comparison  of  the  average  MDA/ML  classification  per- 
formaces  for  each  the  four  RF-DNA  fingerprinting  techniques  described  in  Section  2.2 
as  well  as  the  DT-CWT  results  from  [56,57].  The  DT-CWT  results  are  for  the  same 
four  802.11a  WiFi  devices  and  are  the  average  computed  across  all  combinations  of 
three  devices.  Each  of  the  DT-CWT  RF-DNA  fingerprints  were  comprised  of  Ay =135 
features.  The  GT-based  classification  results  are  superior  to  the  DT-CWT  results, 
for  SNR> 4.0  dB.  Relative  to  other  features,  GT  RF-DNA  fingerprinting  yields  a 
gain  in  performance  of  Gp~16.0  dB  (TD),  Gp~9.0  dB  (SD),  Gp~9.0  dB  (GWT), 
and  Gp~7.0  dB  (DT-CWT)  at  %C=90%  classification  accuracy.  As  in  [94],  SD  RF- 
DNA  fingerprinting  performance  is  consistent  with  DT-CWT  performance  across  all 
investigated  SNR. 

4-2.2  Full- Dimensional  WiFi  Classification:  GRLVQI.  Using  the  same  RF- 
DNA  fingerprints  for  four  WiFi  devices  classified  in  Section  4.2.1,  full-dimensional  GR¬ 
LVQI  classification  results  are  presented  in  this  section.  Figure  4.19  illustrates  indi- 
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(a)  Time  Domain  (TD):  Nf=117. 


(b)  Spectral  Domain  (SD):  Nf= 33. 


(c)  Gabor  Transform  (GT):  Nf= 363.  (d)  Gabor-Wigner  Transform  (GWT):  Nf= 363. 


Figure  4.17:  Full-Dimensional  MDA/ML  classification  performance  using  TD,  SD, 
GT  and  GWT  RF-DNA  features  from  A"c=4  802.11a  WiFi  devices. 
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Figure  4.18:  Average  MDA/ML  WiFi  classification  performance  from  Fig.  4.17  over- 
layed  with  previously  published  DT-CWT  results  from  [57]. 

vidual  device  and  average  GRLVQI  percent  correct  classification  performance  for  TD, 
SD,  GT,  and  GWT  RF-DNA  fingerprint  generation  techniques  at  SNR&[— 3.0, 27.0]  dB 
Figure  4.19(a)  shows  individual  device  and  average  GRLVQI  percent  correct  classifica¬ 
tion  performance  using  TD  RF-DNA  fingerprints.  Average  TD  RF-DNA  classification 
fails  to  achieve  the  90%  correct  performance  benchmark  for  all  investigated  SNR ,  and 
only  device  N4PX  is  classified  correctly  at  a  rate  of  90%  or  better  for  SNR>  18.0  dB. 
GRLVQI  individual  device  and  average  classification  results,  using  SD  fingerprints, 
are  shown  in  Fig.  4.19(b).  Two  of  the  tested  802.11a  WiFi  devices  (ID  ^s  N4UD  and 
N4PX)  are  correctly  classified  at  a  rate  of  90%  or  better  for  SNR>  12.0  dB.  Average 
classification  performance  using  SD  RF-DNA  is  90%  or  better  for  SNR>  18.0  dB  and 
represents  a  significant,  approximate  18.0  dB  improvement  over  TD  results. 

GT-based  RF-DNA  fingerprint  GRLVQI  classification  performance  is  illus¬ 
trated  in  Fig.  4.19(c).  All  four  devices  are  correctly  classified  at  90%  or  better  perfor¬ 
mance  for  SNR>  18.0  dB.  Average  percent  correct  classification  performance  meets  or 
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%  Correct  %  Correct 


(a)  Time  Domain  (TD):  Nf =117. 


(b)  Spectral  Domain  (SD):  N/= 33. 


(c)  Gabor  Transform  (GT):  Nf= 363  [73]. 


(d)  Gabor-Wigner  Transform  (GWT):  Nf= 363. 


Figure  4.19:  Full-Dimensional  GRLVQI  classification  performance  using  TD,  SD,  GT 
and  GWT  RF-DNA  features  from  Nc= 4  802.11a  WiFi  devices. 
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exceeds  the  arbitrary  90%  benchmark  for  SNR>15.0  dB.  GRLVQI  individual  device 
and  average  percent  correct  classification  performance  is  illustrated  in  Fig.  4.19(d)  for 
the  GWT  RF-DNA  generation  technique.  As  with  GT-based  results,  GWT-based 
RF-DNA  classification  performance  of  WiFi  devices:  N4UD  and  N4PX,  is  90%  or 
better  for  SNR>  12.0  dB.  However,  when  comparing  average  GWT  RF-DNA  classi¬ 
fication  performance  to  that  of  the  GT-based  results,  performance  is  deteriorated  by 
approximately  9.0  dB.  As  with  MDA/ML  results  in  Section  4.2.1,  GRLVQI  classifi¬ 
cation  using  GT  RF-DNA  fingerprints  provides  the  best  means  for  achieving  serial 
number  discrimination  of  802.11a  WiFi  devices.  This  is  illustrated  in  Fig.  4.20  re¬ 
sults  which  reflect  an  approximate  gain  of  Gp=15.0  dB  (TD),  Gp=5.0  dB  (SD),  and 
Gp=10.0  dB  (GWT-based)  for  other  methods. 


Note:  The  superiority  of  GT  fingerprinting  in  Fig.  4.19  is  not  at¬ 
tributable  to  the  larger  number  of  full-dimensional  features  being  used. 

This  is  subsequently  demonstrated  using  DRA  in  Section  4.2.3. 

A  direct  comparison  of  average  classification  performance,  using  GT  RF-DNA, 
of  the  MDA/ML  and  GRLVQI  classifiers  is  shown  in  Fig.  4.21.  The  MDA/ML  and 
GRLVQI  average  performances  are  statistically  equivalent  for  SNR^[— 3.0, 3.0]  dB 
and  [21.0,27.0]  dB.  MDA/ML  average  results  are  superior  to  GRLVQI-based  results 
for  SNRe  [3.0,  21.0]  dB;  however,  at  the  point  of  greatest  difference  (SNR&9.0  dB) 
GRLVQI  is  within  12%  of  MDA/ML  classifier  performance.  As  previously  stated, 
the  advantage,  over  MDA/ML,  of  the  GRLVQI  classifier  is  that  it  facilitates  Di¬ 
mensionality  Reduction  Analysis  by  providing  a  measure  of  feature  contribution  to  a 
classification  decision,  via  the  relevance  ranking  A,. 

4-2.3  DRA  Impact  on  WiFi  Classification.  Based  upon  WiFi  classifica¬ 
tion  results  in  Section  4.2.1  and  Section  4.2.2  along  with  the  WiMAX  results  in 
Section  4.1.3,  the  impact  of  dimensionally  reduced  WiFi  GT  RF-DNA  fingerprints 
on  MDA/ML  and  GRLVQI  classifier  performance  was  next  assessed.  Based  on  the 
initial  WiMAX  DRA  assessment  in  Section  4.1.3,  it  was  determined  that  a  feature 
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set  containing  only  the  top  10%  of  ranked  features  provided  statistically  equivalent 
classification  performance  to  results  achieved  using  a  full-dimensional  feature  set.  Fur¬ 
thermore,  selection  of  the  DRA  feature  subset  was  performed  using  DRA  Method  7^3 
for  the  following  reasons: 

1.  GRLQVI  classifier  performance  was  best  when  using  DRA  Method  A-3  when 
compared  to  performance  using  either  DRA  Method  #1  and  Method  7^2. 

2.  MDA/ML  classifier  performance  was  much  better  for  five  of  six  MS  devices 
when  using  DRA  Method  7^3  relative  to  what  was  achieved  using  Method  7^2. 

3.  DRA  Method  7^3  provides  a  means  for  determining  a  single,  SNR  independent 
subset  of  relevant  features  that  can  be  used  to  reliably  discriminate  devices  at 
multiple  SNR;  this  mitigates  the  need  to  estimate  SNR  in  real-time  applications 
and  enhances  experimental-to-operational  transition  opportunity. 


Figure  4.20:  Average  GRLVQI  classification  performances  from  Fig.  4.19  using  TD, 
SD,  GT  and  GWT  RF-DNA  features  from  Nc=4:  802.11a  WiFi  devices. 
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Figure  4.21:  WiFi  classifier  performance  comparison  showing  Fig.  4.18  MDA/ML  and 
Fig.  4.20  GRLVQI  cross-device  average  results  using  Gabor  Transform  (GT)  RF-DNA 
features  from  Nq— 4  802.11a  WiFi  devices. 

Figure  4.22  shows  T-F  responses  for  arbitrary  bursts  that  were  randomly  se¬ 
lected  from  each  of  the  A%=4  802.11a  WiFi  devices  (ID  ^s  N4U9,  N4UD,  N4UW, 
N4PX).  The  regions  containing  the  highest  ranked  10%  (Top  36)  features  are  high¬ 
lighted  by  red  rectangles.  All  reduced  dimensional  results  in  this  section  were  gener¬ 
ated  using  the  highest  ranked  Nf= 36  WiFi  features. 

Figure  4.23  shows  WiFi  device  classification  performance  using  the  top  Nf= 36 
ranked  GT  features  that  were  selected  using  DR  A  Method  #3  per  (3.19).  As  shown, 
MDA/ML  performance  is  generally  better  than  GRLVQI  using  the  dimensionally 
reduced  GT  RF-DNA  fingerprints  and  includes:  1)  all  four  WiFi  devices  achiev¬ 
ing  the  %C>90%  benchmark  at  SNR>  12.0  dB  ( SNR>  16.0  dB  for  GRLVQI),  and 
2)  cross-device  average  performance  of  %C>90%  for  SNR>  10.0  dB  ( SNR>  12.0  dB 
for  GRLVQI).  The  MDA/ML  and  GRLVQI  cross-device  averages  are  shown  overlaid 
in  Fig.  4.24  to  enable  direct  comparison.  By  comparison  with  full-dimensional  results 
in  Section  4.2.1  and  Section  4.2.2,  both  methods  reflect  an  approximate  3.0  dB  per- 
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Figure  4.22:  Gabor  T-F  responses  for  Nq= 4  WiFi  devices:  Rectangular  patches  iden¬ 
tify  regions  containing  the  highest  ranked  10%  (Top  36)  features.  One  representative 
response  shown  per  device  [73]. 
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formance  degradation  using  DRA;  however,  the  dimensionally  reduced  results  only 
required  approximately  one-tenth  the  original  computation  time. 

4.2.4  WiFi  Device  ID  Verification.  Device  ID  verification  results  are  pre¬ 
sented  for  the  four  802.11a  WiFi  devices  (ID  #s  N4U9,  N4UD,  N4UW,  N4PX)  us¬ 
ing  dimensionally  reduced  GT  fingerprints.  The  features  were  ranked  and  selected 
using  DRA  Method  ^3  and  the  device  ID  verification  process  implemented  per 
Section  3.5.2.  Figure  4.25  shows  verification  ROC  curves  in  which  the  arbitrary 
EER<10%  benchmark  is  met  or  exceeded  for  all  Ar(d=4  Authorized  WiFi  devices  at 
SNR= 15.0  dB.  Devices  N4UD  and  N4U9  provided  best  and  worst  case  performance 
of  EER^0.009%  and  EER^O.101%,  respectively.  Figure  4.26  shows  the  ROC  curves 
associated  with  the  WiFi  devices  that  resulted  in  the  best  (Fig.  4.26(a))  and  worst 
(Fig.  4.26(b))  case  individual  classification  performance  for  SNR=[12.0, 15.0, 18.0]  dB. 
The  poorest  performance  is  associated  with  WiFi  device  N4U9  which  resulted  in 
EER^O.2%  at  SNR=  12.0  dB.  Additional  results  for  the  N4UW  and  N4PX  WiFi 
devices  at  S'Ari?=[12.0, 15.0, 18.0]  dB  are  presented  in  Fig.  A. 22  of  Appendix  A. 2. 
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(a)  GRLVQI  Processing  [73] 


(b)  MDA/ML  Processing 


Figure  4.23:  WiFi  GRLVQI  and  MDA/ML  classification  performance  for  Nc= 4  de¬ 
vices  using  the  Top  36  features  selected  with  DRA  Method  # 3  per  (3.19). 
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Figure  4.24:  Overlay  of  GRLVQI  and  MDA/ML  average  cross-device  802.11a  WiFi 
performances  from  Fig.  4.23.  Results  for  GT  RF-DNA  features  for  Nq= 4  devices 
using  the  Top  36  features  selected  with  DRA  Method  # 3  per  (3.19). 


False  Verification  Rate  (FVR) 

Figure  4.25:  GRLVQI  verification  ROC  curves  for  Nq—A  Authorized  WiFi  devices 
using  a  dimensionally  reduced  (top  36)  Gabor  Transform  (GT)  RF-DNA  feature  set 
at  SNR=15.0  dB  [73], 
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(a)  Best  Case:  Device  ID  #N4UD. 


(b)  Worst  Case:  Device  ID  #N4U9. 


Figure  4.26:  GRLVQI  verification  ROC  curves  for  best  case  and  worst  case  WiFi 
devices  using  a  reduced  dimensional  Gabor  Transform  (GT)  RF-DNA  feature  set  at 
SNR=[  12.0,15.0,18.0]  dB  [73], 
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4-3  Multipath  Impact  on  Classification 

Results  are  presented  here  for  a  “first-look”  investigation  into  the  impact  of 
multipath  on  device  classification  performance.  For  this  investigation,  802.11a  WiFi 
preamble  responses  were  used  given  that  1)  a  considerable  amount  of  previous  research 
has  been  completed  using  the  8012.11a  signal  [54,56,57,67,73,81,82,84,94],  and  2)  a 
comparative  performance  baseline  was  established  in  Section  4.2.  Based  on  results  in 
Fig.  4.17  and  Fig.  4.19,  RF-DNA  fingerprints  were  generated  from  both  GT  and  GWT 
T-F  responses  of  802.11a  WiFi  preambles  using  the  process  outlined  in  Section  2.2.3. 
Use  of  GT  and  GWT  features  facilitated  the  analysis  of  both  linear  (GT)  and  non¬ 
linear  (GWT)  transform  effects  on  device  classification  in  the  presence  of  multipath. 


Motivation:  The  technical  community  encouraged  consideration  of  non¬ 
linear  feature  transforms  and  suggested  that  such  transforms  may  provide 
greater  robustness  under  multipath  conditions. 

A  Rayleigh  faded  channel  was  considered  for  the  initial  assessment  of  multipath 
impact  on  device  classification.  As  illustrated  in  Fig.  4.27,  the  channel  was  modeled 
as  including  the  direct  path  Line-of-Sight  (LOS)  signal  s los  and  a  single  stationary 
reflector  producing  the  reflected  signal  sref-  Samples  of  the  composite  received 
multipath  signal  (sMP)  are  given  by, 

sMp[k ]  =  S  LOs[k\  +  sREF[k]  +  nb[k],  (4.1) 

where  nb[fc]  are  independent  background  noise  samples  and 


sREF[k]  —  ARsLOs[k  —  kjt], 


(4.2) 


with  Ar  (amplitude)  and  kp  (delay)  being  random  channel  control  parameters. 

The  Rayleigh  fading  channel  parameters  were  configured  such  that  the  reflected 
signal  Sref  had  1)  one-half  the  power  of  direct  LOS  signal  s los,  and  2)  an  av¬ 
erage  time  delay  of  0.2  ps.  The  desired  channel  effects  were  achieved  using 


Reflector 


Figure  4.27:  Rayleigh  faded  multipath  channel  implemented  with  a  direct  path  LOS 
signal  slos  and  a  reflected  response  sref  using  Matlab®  ’s  rayleighchan.m  function. 


Matlab®  ’s  rayleighchan.m  function  to  create  the  multipath  model.  To  characterize 
the  rayleighchan.m  function  performance  prior  to  using  it  for  multipath  assessment, 
the  function  was  called  1000  times  and  each  resultant  channel  model  convolved  with 
the  same  randomly  selected  802.11a  WiFi  burst  response.  Figure  4.28(a)  shows  the 
selected  LOS  slos  burst  response  overlayed  with  25  smp  multipath  signal  responses. 
Figure  4.28(b)  shows  the  Probability  Mass  Function  (PMF)  of  the  estimated  signal 
power  for  each  of  the  received  signals  and  clearly  shows  the  Rayleigh  fading  effect  due 
to  the  generated  multipath  channel. 

Device  classification  under  multipath  conditions  was  performed  using  the  MDA- 
/ML  classifier  described  in  Section  2.3.1  and  Section  3.3.1.  As  summarized  in  Ta¬ 
ble  4.1,  there  were  three  device  classification  scenarios  considered,  including: 


1.  Both  model  development  (classifier  training)  and  classification  are  performed 
using  RF-DNA  extracted  from  signal  responses  with  no  multipath  present 
(Ml,  Tl), 

2.  Model  development  using  RF-DNA  extracted  from  responses  with  no  mul¬ 
tipath  present  and  subsequent  classification  using  RF-DNA  extracted  from 
signal  responses  with  multipath  present ,  (Ml,  T2),  and 
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(a)  Overlay  of  direct  path  slos  (blue)  and  25  indepen¬ 
dent  received  sr  multipath  signals  (gray)  in  (4.1). 
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(b)  Probability  Mass  Function  for  estimated  power  in 
1000  independent  received  sr  multipath  signals. 


Figure  4.28:  Characterization  of  Rayleigh  faded  multipath  channel  created  using 
Matlab®  ’s  rayleighchan.m  function. 
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Table  4.1:  Model  Development  (M)  and  RF-DNA  Fingerprint  Testing  (T)  Conditions 
for  (M#,T#)  Multipath  Scenarios. 


Variable 

Description 

Ml 

Models  developed  using  RF-DNA  fingerprints 
extracted  from  signal  responses  with  No  Mul¬ 
tipath  Present. 

M2 

Models  developed  using  RF-DNA  fingerprints 
extracted  from  signal  responses  with  Multi- 
path  Present. 

Tl 

Classification  is  performed  using  RF-DNA  test¬ 
ing  fingerprints  extracted  from  signal  responses 

with  No  Multipath  Present. 

T2 

Classification  is  performed  using  RF-DNA  test¬ 
ing  fingerprints  extracted  from  signal  responses 

with  Multipath  Present. 

3.  Both  model  development  and  classification  performed  using  RF-DNA  extracted 
from  signal  responses  with  multipath  present ,  (M2,  T2), 

where  the  combinations  of  model  development  and  classification  used  for  multipath 
assessment  are  denoted  herein  as  (Mt%T^)  with  taking  on  values  indicated  in  the 
variable  column  of  Table  4.1. 

For  this  initial  investigation  RF-DNA  fingerprint  generation,  model  develop¬ 
ment,  and  subsequent  classification  were  performed  using  direct  path  signals  with 
scaled  background  noise  nb[k\  added  to  achieve  SNR=[9.0,  15.0,  18.0]  dB;  resultant 
MDA/ML  classification  performance  for  each  of  these  SNR  conditions  are  shown  in 
Fig.  4.29  (18.0  dB),  Fig.  4.30  (15.0  dB),  and  Fig.  4.31  (9.0  dB).  Notable  observations 
from  these  results  include: 


1.  Figure  4.29  presents  results  for  SNR= 18.0  dB  and  reflects  an  approximate  50% 
reduction  in  average  GT-based  classification  performance  when  comparing  the 
(M1,T1)  and  (M1,T2)  scenarios.  When  comparing  scenario  one  (Ml,  Tl)  and 
two  (Ml,  T2),  there  is  an  approximate  15%  and  35%  reduction  in  average  classi- 
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fication  performance  when  using  RF-DNA  fingerprints  generated  from  GT  and 
GWT-based  features,  respectively.  For  the  (M2,T2)  scenario  using  GWT-based 
RF-DNA,  average  performance  degrades  by  approximately  15%  when  compared 
with  the  (M1,T1)  scenario.  However,  the  average  results  of  scenario  three  are 
consistent  between  the  GT  and  GWT-based  RF-DNA  fingerprints.  For  scenario 
two  (M1,T2),  GWT-based  RF-DNA  results  in  an  approximate  improvement  of 
15%  in  average  classification  performance  in  comparison  to  the  results  when  us¬ 
ing  GT-based  RF-DNA.  This  suggests  that  GWT-based  RF-DNA  fingerprints 
provide  some  multipath  resilience. 

2.  The  resiliency  of  GWT-based  RF-DNA  fingerprints  to  multipath  is  tested  by 

repeating  the  above  process  for  SNR=[9.0, 15.0]  dB.  The  SNR=15.0  dB  clas¬ 
sification  performance  results  are  shown  in  Fig.  4.30  using  both  GT  and  GWT 
features  under  the  three  scenarios  detailed  above.  Comparison  of 

(M1,T1)  and  (M1,T2)  scenario  results  shows  that  average  classification  perfor¬ 
mance  is  degraded  by  approximately  45%  and  32%  for  GT  and  GWT-based 
RF-DNA,  respectively.  For  the  (M2,T2)  scenario,  average  percent  classifica¬ 
tion  is  consistent  across  both  fingerprint  types.  As  with  SNR=  18.0  dB  re¬ 
sults  in  Fig.  4.29,  GWT-based  fingerprinting  at  SNR=  15.0  dB  provides  an 
improvement  of  15%  when  compared  with  GT-based  classification  results  for 
the  (M1,T2)  scenario  and  demonstrates  the  resiliency  of  GWT  RF-DNA  under 
multipath  conditions. 

3.  Figure  4.31  shows  results  for  SNR=9.0  dB.  As  with  the  previous  two  investi¬ 
gated  SNRs ,  test  scenario  two  (M1,T2)  results  in  a  degradation  of  performance 
versus  that  of  scenario  one  (M1,T1)  for  both  fingerprint  generation  techniques. 
However,  the  scenario  two  GWT-based  average  classification  performance  re¬ 
sults  in  only  a  marginal  improvement  (approximately  2%)  over  that  of  the 
GT-based  results.  Test  scenario  three  remains  consistent  between  the  GT  and 
GWT-based  RF-DNA  average  classification  results  and  provides  marginal  im¬ 
provement  over  the  (M1,T2)  scenario.  These  results  and  those  of  test  scenario 
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two  suggests  that  the  multipath  resiliency  benefits  of  the  non-linear  GWT  are 
minimized/lost  as  SNR  degrades. 

4.  When  comparing  the  results  presented  in  Fig.  4.29,  Fig.  4.30,  and  Fig.  4.31, 
it  is  apparent  that  as  SNR  degrades  the  benefits  of  non-linear  GWT-based 
features,  with  respect  to  classification  performance,  are  diminished.  This  is  not 
only  the  case  when  comparing  GT-based  results  to  those  of  the  GWT,  but  also 
when  comparing  scenario  one  to  two  across  and  within  T-F  RF-DNA  fingerprint 
generation  techniques.  Lastly,  training  and  classification  performed  on  RF- 
DNA  fingerprints,  generated  from  signals,  in  which  multipath  is  present  proves 
beneficial  to  classifier  performance  when  compared  to  training  the  classifier  using 
RF-DNA  fingerprints  without  the  presence  of  multipath. 


Observation:  Use  of  non-linear  GWT  features  is  generally  more  robust 
at  higher  SNR  but  yields  comparable  performance  to  linear  GT  features 
when  used  at  lower  SNR. 
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Figure  4.29:  MDA/ML  multipath  assessment  using  GT  (linear)  and  GWT  (non¬ 
linear)  802.11  WiFi  features  with  and  without  multipath  present  at  SNR=18.0  dB. 
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Figure  4.30:  MDA/ML  multipath  assessment  using  GT  (linear)  and  GWT  (non¬ 
linear)  802.11  WiFi  features  with  and  without  multipath  present  at  SNR= 15.0  dB. 
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Figure  4.31:  MDA/ML  multipath  assessment  using  GT  (linear)  and  GWT  (non¬ 
linear)  802.11  WiFi  features  with  and  without  multipath  present  at  SNR=9.0  dB. 
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V.  Conclusions 


THIS  chapter  provides  a  comprehensive  summary  of  key  research  activities,  find¬ 
ings,  and  recommendations  for  future  research. 

5.1  Research  Summary 

Opportunistic  “hackers”  continue  to  gain  unauthorized  access  to  wireless  net¬ 
works  and  their  criminal  activities  are  projected  to  continue  as  new  technologies 
emerge  [10,11,15].  The  pervasiveness  of  communication  standards  based  on  Orthogo¬ 
nal  Frequency  Division  Multiplexing  (OFDM),  e.g.,  IEEE  802.11a/g  Wireless  Fidelity 
(WiFi),  IEEE  802. 16e  Worldwide  Interoperability  for  Microwave  Access  (WiMAX), 
and  3GPP  Long  Term  Evolution  (LTE),  increases  the  threat  of  unauthorized  access 
which  remains  a  concern  for  OFDM-based  wireless  networks.  This  concern  becomes 
even  greater  when  considering  that  some  of  these  technologies  are  being  deployed 
to  form  critical  links  in  larger  system  architectures  such  as  Smart  Grid,  Supervisory 
Control  And  Data  Acquisition  (SCADA),  next  generation  airport  communications, 
and  as  backbone/backhaul  elements  for  cloud  computing  [28,32,37,61,91].  Similar 
to  802.11  WiFi  wireless  networks,  the  network  architectures  of  WiMAX  and  LTE  are 
functionally  dependent  upon  Wireless  Access  Points  (WAP)  which  have  been  iden¬ 
tified  as  one  of  the  top  10  IT  security  threats  [2] -the  motivation  for  this  research 
addressing  WAP  security  enhancement  using  RF  air  monitoring  with  RF  “Distinct 
Native  Attribute”  DNA  (RF-DNA)  fingerprinting. 

The  seven  layer  Open  Systems  Interconnection  (OSI)  model  characterizes  and 
standardizes  all  services  implemented  within  a  wireless  network.  Conventional  mech¬ 
anisms  for  network  security  and  detection  of  unauthorized  users  have  been  employed 
within  higher  layers  of  the  OSI  model,  to  include  the  Network  (NWK)  and  Data 
Link  Layer  (DLL).  Previous  research  in  [17,60,65,78,85,96]  focused  on  developing 
bit-level  security  mechanisms  for  detecting  and  mitigating  unauthorized  network  ac¬ 
cess.  Thus,  by  design  these  bit-level  techniques  overlook  inherent  Physical  (PHY) 
layer  information  that  is  available  at  WAP  “doorways”  through  which  a  majority 
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of  criminal  activity  occurs.  Indifference  to  PHY  layer  information  neglects  poten¬ 
tially  discriminating  information  that  is  contained  within  all  wireless  network  RF 
emissions,  regardless  if  such  emissions  are  from  authorized  or  unauthorized  devices- 
reliable  discrimination  of  friend-or-foe  devices  enhances  network  security  by  reliable 
granting  access  to  authorized  users  while  detecting  and  countering  spoofing  attacks 
of  unauthorized  users. 

RF  fingerprinting  is  one  PHY  layer  technique  that  leverages  inherent  discrimi¬ 
nating  information  within  wireless  RF  emissions.  This  is  accomplished  by  exploiting 
features  that  are  unique  and  difficult  to  counterfeit,  i.e. ,  features  that  are  inadver¬ 
tently  imparted  onto  the  RF  waveform  by  the  hardware  components  that  consti¬ 
tute  the  wireless  device.  A  substantial  amount  of  research  has  been  conducted  in 
the  area  of  RF  fingerprinting  over  the  past  two  decades  [23—25, 2T,  29, 31, 33, 36, 38— 
41,  44,  47,  49,  54,  56-58,  67,  71,  74-76,  81,  84,  86,  88,  89,  93-95],  Recent  related  work 
in  [44,45,47,56-58,71-73,76,81,93,94]  focused  on  PHY  layer  exploitation  using  RF- 
DNA  extracted  from  selected  portions  of  intentionally  modulated  signal  responses. 
The  RF-DNA  attributes  are  1)  adequately  “distinct”  to  enable  persistent  cross-device 
discrimination,  and  2)  “native”  in  that  the  hardware  implementation,  component 
type,  manufacturing  processes  and/or  environmental  interaction  variations  induce 
unique  unintentional  “coloration”  on  the  intentional  modulation  features-inherent 
RF-DNA  features  are  sufficiently  unique  to  enable  human- like  device  hardware  dis¬ 
crimination. 

While  a  considerable  amount  of  RF-DNA  fingerprinting  research  had  been  con¬ 
ducted  previously,  there  remained  a  need  at  the  onset  of  this  research  to  improve  the 
experimental-to-operational  transition  potential  of  RF-DNA  fingerprinting  and  facil¬ 
itate  successful  fielding  of  a  system  to  provide  reliable  and  robust  PHY  layer  security 
augmentation.  Such  a  security  system  must  be  able  to  discriminate  between  1)  devices 
from  different  manufacturers  (cross-manufacturer),  2)  dissimilar  model  devices  from 
the  same  manufacturer  (cross- model),  and  3)  like  model  devices  from  the  same  manu¬ 
facturer  (the  most  challenging  serial  number  discrimination  case  [44,47,57,76,93,94]). 
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The  security  system  must  also  be  able  to  resolve  a  given  device’s  bit-level  credentials 
(MAC  address,  IMEI  number,  SIM  Number,  and/or  ESN)  and  RF-DNA  fingerprints 
with  the  stored  reference  model  associated  with  the  claimed  bit-level  credentials.  This 
device  ID  verification  must  be  performed  in  a  reliable,  timely  manner  for  authorized 
devices  while  at  the  same  time  detecting  the  presence  of  unauthorized  rogue  devices 
attempting  to  illegitimately  gain  network  access. 

5.2  Research  Contribution  Areas 

As  summarized  below,  several  important  research  contributions  were  made  to 
RF-DNA  fingerprinting  that  enhance  its  experimental-to-operational  transition  po¬ 
tential.  These  contributions  include: 

5.2.1  2D  Gabor-Based  RF-DNA.  One  approach  for  improving  device  clas¬ 
sification  performance  is  the  discovery  of  a  more  powerful  feature  set  using  a  given 
classifier,  where  increased  power  is  indicated  by  either  1)  requiring  a  lower  SNR  to 
achieve  a  given  classification  level,  or  2)  achieving  a  higher  classification  level  for  a 
given  SNR.  The  802.11a  WiFi  work  by  Klein  in  [56-58]  was  AFIT’s  first  success¬ 
ful  transition  from  ID  Time/Spectral  Domain  (TD/SD)  feature  sets  to  a  2D  joint 
Time-Frequency  (T-F)  feature  set  derived  from  Dual- Tree  Complex  Wavelet  Trans¬ 
form  (DT-CWT)  coefficients.  Klein’s  results  for  an  MDA/ML  classifier  showed  that 
2D  DT-CWT  features  were  indeed  superior  with  a  relative  performance  “gain”  (re¬ 
duction  in  required  SNR  to  achieve  a  given  classification  accuracy)  of  Gp~6.0  dB 
(TD)  and  Gp~-3.0  dB  (SD)  realized  for  an  arbitrary  %G>90%  performance  bench¬ 
mark  [56-58,94], 

Gabor  Transform  (GT)  and  Gabor-Wigner  Transform  (GWT)  features  are  in¬ 
troduced  here  as  2D  alternatives  to  the  DT-CWT.  Performance  was  assessed  here 
for  both  MDA/ML  and  GRLVQI  classifiers  using  GT/GWT  RF-DNA  feature  sets. 
For  the  same  802.11a  WiFi  devices  used  by  Klein  in  [56-58],  average  MDA/ML  clas¬ 
sification  performance  using  full-dimensional  (Nf=363  features)  GT-based  RF-DNA 
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fingerprints  achieved  the  %G>90%  benchmark  for  SNR>9.0  dB.  This  corresponds  to 
performance  gains  of  Gp^[9.5,  16.6,  9.1,  7.1]  dB  for  GWT,  TD,  SD,  and  DT-CWT- 
based  RF-DNA  fingerprinting,  respectively  RF-DNA  fingerprints  derived  from  2D 
GT-based  features  are  indeed  superior  to  previous  ID  and  2D  feature  sets  [71-73,76]. 

Results  for  802. 16e  WiMAX  Mobile  Subscriber  (MS)  devices  were  equally  sig¬ 
nificant,  with  MDA/ML  classifier  performance  using  full  dimensional  (Nf= 204  fea¬ 
tures)  GT-based  RF-DNA  fingerprints  reaching  the  arbitrary  %G>90%  benchmark 
for  SNR>Q. 5  dB  and  achieving  performance  gains  of  Gp~[ 4.9,  8.1,  20.0]  relative 
to  GWT,  TD,  and  SD  RF-DNA  fingerprints,  respectively  [71,  76].  Corresponding 
GRLVQI  classifier  results  using  the  same  input  feature  set  were  marginally  poorer, 
with  the  arbitrary  %C>90%  benchmark  reached  at  SNR>  10.0  dB  and  apprecia¬ 
ble  gains  of  Gp~[6.5,  12.5]  dB  achieved  for  GWT  and  TD  RF-DNA  fingerprints, 
respectively  [45,  72,  73].  Related  research  using  other  signal  types  suggests  that 
SNR=10.0  dB  is  achievable  in  operational  environments  such  that  implementation  of 
GRLVQI  processing  is  feasible.  Of  equal  importance,  the  inherent  feature  relevance 
indication  provided  by  GRLVQI  overcomes  a  major  MDA/ML  limitation  and  enables 
efficient  processing  using  dimensionally  reduced  feature  sets-the  next  highlighted  re¬ 
search  contribution. 

5.2.2  Dimensional  Reduction  Analysis  (DRA).  Although  the  MDA/ML 
classifier  performed  favorably  in  previous  works  and  for  generating  baseline  results  un¬ 
der  this  research,  it  has  one  major  limitation  that  impacts  its  potential  for  experimental- 
to-operational  transition-it  lacks  a  mechanism  for  relating  input  feature  impact  to  the 
final  classification  decision.  This  limitation  inhibits  the  ability  to  retain  or  discard  a 
given  feature,  based  upon  its  relevance  to  classification ,  for  future  feature  generation 
and  subsequent  classification.  The  ability  to  select  and  retain  a  most  relevant  set  of 
RF-DNA  features,  while  maintaining  a  given  classification  accuracy,  is  assessed  here 
using  Dimensional  Reduction  Analysis  (DRA).  The  dimensionally  reduced  feature 
set  requires  fewer  computational  resources  (processing  power,  memory,  etc.)  which 


increases  the  experimental-to-operational  transition  potential.  The  MDA/ML  limi¬ 
tation  is  overcome  here  using  GRLVQI  which  inherently  develops  a  feature  relevance 
ranking  for  each  RF-DNA  input  feature  during  classifier  training. 

Given  GRLVQI  relevance  rankings,  the  effectiveness  of  four  DRA  feature  selec¬ 
tion  methods  were  investigated  under  this  research,  including  [45,72,73]: 

i.  DRA  Method  #1:  Use  the  highest  ranked  relevance  values  produced  at  a  single 
SNR  to  evaluate  classification  performance  at  all  SNR  per  equation  (3.17). 

ii.  DRA  Method  #2:  Use  the  highest  ranked  relevance  values  for  each  investigated 
SNR  to  assess  classification  performance  at  the  same  SNR  per  equation  (3.18). 

iii.  DRA  Method  #3:  Use  the  highest  ranked  relevance  values  based  on  the  average 
relevance  rankings  computed  across  all  investigated  SNR  per  equation  (3.19). 

iv.  DRA  Method  7^4:  Use  the  union  of  highest  ranked  relevance  values  across  all 
SNR  considered  per  equation  (3.20). 

Results  in  Section  4.1.3  and  Section  4.2.3  show  that  for  DRAf«90%  (90%  of  full¬ 
dimensional  RF-DNA  input  features  discarded),  statistically  equivalent  classification 
performance  is  achieved  for  a  10 x  reduction  in  computation  time  [45,72,73].  Of  the 
four  methods  considered,  DRA  Method  fi3  resulted  in  the  best  overall  classification 
performance  for  all  feature  sets  (TD,  SD,  GT,  and  GWT)  and  range  of  SNR  consid¬ 
ered.  A  key  advantage  of  DRA  Method  is  that  it  provides  a  means  for  determining 
a  single,  SNR  independent  set  of  features  that  can  be  applied  without  requiring  real¬ 
time  burst  SNR  estimates  in  operational  network  security  systems.  Classification 
results  using  DRA  feature  sets  with  each  of  the  classifiers  include: 

1.  For  802. 16e  WiMAX  devices  with  dimensionally  reduced  feature  sets  (Nf =20  of 
204  total  features)  selected  using  DRA  Method  fi3:  1)  the  MDA/ML  classifier 
achieved  individual  device  classification  accuracies  of  %C'>80%  for  five  of  the 
six  devices  at  SNR>9.0  dB,  and  2)  the  GRVLQI  classifier  achieved  %C>80% 
for  all  six  devices  at  SNR>15.0  dB. 
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2.  For  802.11a  WiFi  devices  with  dimensionally  reduced  feature  sets  (Nf= 36  of 
363  total  features)  selected  using  DRA  Method  ^3:  1)  the  MDA/ML  classi¬ 
fier  achieved  the  arbitrary  %C'>90%  benchmark  at  SNR>  12.0  dB,  and  2)  the 
GRVLQI  classifier  achieved  the  arbitrary  %C>90%  benchmark  is  achieved  for 
SNR>  16.0  dB. 

5.2.3  Device  ID  Verification.  A  majority  of  prior  related  RF-DNA  finger¬ 
printing  work  predominantly  focused  on  device  classification  (a  one-to-many  looks 
“most  like”  assessment)  [44,47,57,74-76,81,93,94],  In  this  case,  the  network  security 
system  uses  a  similarity  measure  to  compare  an  unknown  device’s  “challenge”  RF- 
DNA  fingerprint  to  stored  reference  models  associated  with  each  of  the  Nq  known  f- 
authorized  network  devices.  The  security  system  then  declares  the  unknown  device 
as  being  one  the  specific  authorized  devices  based  on  the  reference  model  providing 
the  “best”  match  to  the  current  “challenge”  hngerprint(s).  This  declaration  is  made 
regardless  of  whether  or  not  the  “challenge”  fingerprints  originate  from  an  autho¬ 
rized  or  unauthorized  device.  This  “best”  match  assignment  may  actually  be  a  poor 
match  and  creates  the  opportunity  for  “rogue”  devices,  whose  RF-DNA  closely  resem¬ 
bles  that  of  an  authorized  device,  to  gain  access  to  the  unauthorized  network  access. 
Furthermore,  the  one-to-many  device  classification  approach  may  not  be  feasible  in 
applications  where  the  network  is  comprised  of  a  large  number  of  devices  or  a  network 
in  which  users  enter  and  leave  frequently  or  randomly. 

This  research  adopted  the  MDA/ML-based  verification  methods  used  for  unin¬ 
tentional  emissions  in  [19, 20]  and  expanded  their  applicability  to  include:  1)  inten¬ 
tional  wireless  emissions,  and  2)  implementation  with  a  GRLVQI  classifier  [71-73].  As 
designated  in  [19,20]  and  maintained  here,  device  ID  verification  (a  one-to-one  looks 
“how  much”  like  assessment)  involves  a  comparison  between  an  unknown  device’s 
“challenge”  hngerprint(s)  and  a  stored  reference  model  affiliated  with  the  claimed 
bit-level  identity  being  presented  by  the  device.  This  comparison  is  made  using  sim¬ 
ilarity  measures  ( verification  test  statistics)  that  are  based  on  Bayesian  posterior 
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probabilities  and  geometric  measures.  The  geometric  measures  considered  under  this 
research  included  Euclidean  Distance,  Normalized  Euclidean  Distance,  Spatial  Angle, 
and  the  product  of  Spatial  Angle  and  Normalized  Euclidean  Distance. 

Device  ID  verification  performance  using  802. 16e  WiMAX  devices  with  MDA/ML- 
based  Bayesian  posterior  probabilities  included  achieving  an  arbitrary  Equal  Error 
Rate  (EER)  of  EER<10%  benchmark  for  all  six  authorized  devices  at  SNR=6.0  dB. 
For  GRLVQI-based  geometric  measures,  the  product  of  Spatial  Angle  and  Normalized 
Euclidean  Distance  proved  superior  with  all  six  authorized  WiMAX  devices  achiev¬ 
ing  the  arbitrary  EER<10%  benchmark  at  SNR=18.0  dB.  To  simulate  a  network 
spoofing  attack,  GRLVQI-based  verification  was  performed  using  six  unauthorized 
“rogue”  WiMAX  devices  presenting  false  bit-level  credentials  matching  each  of  the 
authorized  device-a  total  of  36  independent  network  intrusion  attacks  via  spoofed 
bit-level  identities.  Using  the  GRLVQI-based  Spatial  Angle  times  Normalized  Eu¬ 
clidean  Distance  similarity  measure,  35  of  36  attacks  were  successfully  detected,  with 
EER<10%  (Rogue  Rejection  Rate  RRR>90%)  at  SNR= 18.0  dB  [72], 

For  completeness,  Device  ID  verification  performance  was  assessed  using  the 
four  available  802.11a  WiFi  devices.  This  was  done  using  the  GRLVQI-based  Spatial 
Angle  times  Normalized  Euclidean  Distance  similarity  measure.  In  this  case,  the  arbi¬ 
trary  EER<10%  benchmark  was  achieved  for  all  four  authorized  802.11a  WiFi  devices 
at  SNR=15.0  dB.  Given  the  limited  number  of  802.11a  devices,  rogue  rejection  was 
not  assessed  and  remains  an  area  of  interest  for  future  research. 

5.3  Recommendations  for  Future  Research 

As  outlined  in  Section  1.2,  the  decision  to  investigate  Gabor-based  RF-DNA 
fingerprinting  and  GRLVQI  classification  was  motivated  by  two  factors,  including 
1)  improving  device  classification  performance  relative  to  previous  RF  fingerprinting 
work  [23-25, 27, 29, 31, 33, 36, 38-41, 44, 47, 49, 54, 56-58, 67, 74, 75, 81,84, 86, 88, 89, 93- 
95]  and  2)  addressing  noted  shortcomings  of  the  MDA/ML  classifier.  Relative  to 
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previous  RF  fingerprinting  work,  the  utilization  and  benefits  of  Gabor-based  features 
and  GRLVQI  classification  has  been  acutely  demonstrated  and  well-received  within 
the  technical  community  [71-73,76].  However,  there  remains  several  related  topics  of 
interest  that  warrant  further  investigation,  including: 

1.  Alternate  Wireless  Devices:  Demonstration  results  presented  here  are  based 
on  experimentally  collected  IEEE  802.11a  WiFi  signals  from  Cisco  AIR-CB21G- 
A-K9  cards  and  IEEE  802. 16e  WiMAX  signals  from  Alvarion  BreezeMAX  Ex¬ 
treme  5000  WiMAX  MS  units.  There  are  many  other  manufacturers  of  WiFi 
and  WiMAX  subscriber  equipment.  Additional  research  could  be  conducted  to 
apply  techniques  developed  in  this  work  using  emissions  from  other  WiFi  (Net- 
Gear,  Linksys,  Etc.)  and  WiMAX  (Motorola,  Alcatel,  Etc.)  user  equipment. 
Also,  Fourth  Generation  (4G)  Long  Term  Evolution  (LTE)  is  an  OFDM-based 
wireless  standard  that  is  being  deployed  throughout  the  world  to  replace  older 
Third  Generation  (3G)  Global  System  for  Mobile  Communications  (GSM)  stan¬ 
dard.  The  application  of  Gabor-based  RF-DNA  fingerprinting  with  GRLVQI 
classification  and  verification  could  be  considered  for  securing  LTE  and  other 
4G  network  architectures  employing  WAPs. 

2.  Alternate  Classifiers:  This  work  introduced  the  ANN-based  GRLVQI  classi¬ 
fier  to  address  shortcomings  of  earlier  work  using  a  Fisher-based  MDA/ML  clas¬ 
sifier.  One  of  the  key  GRLVQI  advantages  exploited  under  this  research,  and 
which  is  not  supported  by  MDA/ML,  is  the  capability  to  determine  which  input 
features  are  most  relevant  to  overall  classification  performance.  The  GRLVQI 
classifier  implemented  here  uses  a  weighted  Euclidean  distance  as  the  classi¬ 
fication  similarity  measure.  While  effective,  it  is  believe  that  other  similarity 
measures  (e.g.,  1 1-norm,  spatial  angle,  spatial  angle  times  distance,  etc.)  may 
improve  upon  GRLVQI  classification  performance.  This  suggestion  is  based  on 
the  effectiveness  of  alternate  measures  that  were  used  here  for  demonstrating 
reliable  device  ID  verification.  Additional  research  at  AFIT  suggests  that  the 
Learning  From  Signals  (LFS)  classifier  may  be  effective  as  well  given  that  it  per- 
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forms  consistently  with  MDA/ML  while  providing  a  feature  relevance  indication 
similar  to  GRLVQI  [14,44-47], 

3.  Alternate  Channel  Models:  The  disparity  between  collected  SNRC  and  anal¬ 
ysis  signal  SNRa  was  such  that  the  like-filtered  Additive  White  Gaussian  Noise 
(AWGN)  dominated  the  collected  background  noise.  Thus,  the  the  research  re¬ 
sults  are  most  consistent  with  what  is  expected  for  AWGN  channel  conditions. 
The  signal  collection  environment  and  methodology  could  be  modified  such  that 
actual  SNRC  variation  is  induced  and  analysis  signal  generation  removed.  Ad¬ 
ditionally,  only  the  impact  of  a  single  multipath  reflector  was  considered  to 
provide  a  preliminary  assessment  of  performance  using  linear  (GT)  and  non¬ 
linear  (GWT)  features.  The  GWT  feature  set  provided  only  modest  additional 
robustness  to  simple  multipath  and  more  complex  multipath  models  (e.g.,  typ¬ 
ical  urban,  rural,  etc.)  should  be  considered  to  sufficiently  address  technical 
community  “encouragement”  and  provide  much  needed  demonstration  results. 

4.  Network/ Cross- Layer  Integration:  This  work  has  demonstrated  the  appli¬ 
cability  of  RF-DNA  fingerprinting  for  supporting  one-to-one  device  ID  verifica¬ 
tion  as  well  as  one-to-many  device  classification.  Specifically,  the  PHY-based 
methods  herein  support  envisioned  bit-level  security  augmentation  using  RF 
air  monitoring  under  network  (NWK)  control  at  WAPs.  The  effectiveness  of 
an  integrated  PHY-NWK  cross- layer  framework  remains  to  be  demonstrated 
and  could  be  pursued.  This  cross-layer  coordination  could  be  used  to  provide 
one-to-one  Multi-Factor  Verification  of  authorized  network  devices. 
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Appendix  A.  Additional  Results 


This  appendix  contains  the  additional  results  not  presented  in  Chapter  IV.  These 
additional  results  are  presented  here  in  the  same  order  as  presented  in  the 
document  above. 


A.l  WiMAX  Device  ID  Verification 


Here  are  the  device  verification  results  for  the  remaining  four  Authorized  and 
five  Rogue  WiMAX  MS  devices. 


False  Verification  Rate  (FVR)  False  Verification  Rate  (FVR) 

(a)  MS63A7.  (b)  MS63A9. 


False  Verification  Rate  (FVR) 


(c)  MS6373. 


(d)  MS6387. 


Figure  A.l:  ROC  curves  and  EER  for  four  WiMAX  MS  devices  at  SNR=[Q,  3,  6]  dB 
using  an  a  posterior  probability  verification  test  statistic  zv. 
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Figure  A. 2:  ROC  curves  and  EER  for  Rogue  WiMAX  MS  device  MS9993  at 
SNR=18  dB  using  a  Euclidean  Distance  verification  test  statistic  zv 


Figure  A. 3:  ROC  curves  and  EER  for  Rogue  WiMAX  MS  device  MSC2FF  at 
SNR= 18  dB  using  a  Euclidean  Distance  verification  test  statistic  zv. 
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Figure  A. 4:  ROC  curves  and  EER  for  Rogue  WiMAX  MS  device  MSDAB9  at 
SNR= 18  dB  using  a  Euclidean  Distance  verification  test  statistic  zv. 


Figure  A. 5:  ROC  curves  and  EER  for  Rogue  WiMAX  MS  device  MSDAC5  at 
SNR=  18  dB  using  a  Euclidean  Distance  verification  test  statistic  zv. 
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Figure  A. 6:  ROC  curves  and  EER  for  Rogue  WiMAX  MS  device  MSDDBF  at 
SNR=18  dB  using  a  Euclidean  Distance  verification  test  statistic  zv. 


Figure  A. 7:  ROC  curves  and  EER  for  Rogue  WiMAX  MS  device  MS9993  at 
SNR= 18  dB  using  a  Normalized  Euclidean  Distance  verification  test  statistic  zv. 
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Figure  A. 8:  ROC  curves  and  EER  for  Rogue  WiMAX  MS  device  MSC2FF  at 
SNR= 18  dB  using  a  Normalized  Euclidean  Distance  verification  test  statistic  zv. 


Figure  A. 9:  ROC  curves  and  EER  for  Rogue  WiMAX  MS  device  MSDAB9  at 
SNR= 18  dB  using  a  Normalized  Euclidean  Distance  verification  test  statistic  zv. 


109 


Figure  A. 10:  ROC  curves  and  EER  for  Rogue  WiMAX  MS  device  MSDAC5  at 
SNR= 18  dB  using  a  Normalized  Euclidean  Distance  verification  test  statistic  zv. 


Figure  A. 11:  ROC  curves  and  EER  for  Rogue  WiMAX  MS  device  MSDDBF  at 
SNR= 18  dB  using  a  Normalized  Euclidean  Distance  verification  test  statistic  zv. 
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Figure  A.  12:  ROC  curves  and  EER  for  Rogue  WiMAX  MS  device  MS9993  at 
SNR=18  dB  using  a  Spatial  Angle  verification  test  statistic  zv. 
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Figure  A.  13:  ROC  curves  and  EER  for  Rogue  WiMAX  MS  device  MSC2FF  at 
SNR= 18  dB  using  a  Spatial  Angle  verification  test  statistic  zv. 
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Figure  A. 14:  ROC  curves  and  EER  for  Rogue  WiMAX  MS  device  MSDAB9  at 
SNR=18  dB  using  a  Spatial  Angle  verification  test  statistic  zv. 


Figure  A. 15:  ROC  curves  and  EER  for  Rogue  WiMAX  MS  device  MSDAC5  at 
SNR= 18  dB  using  a  Spatial  Angle  verification  test  statistic  zv. 
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Figure  A. 16:  ROC  curves  and  EER  for  Rogue  WiMAX  MS  device  MSDDBF  at 
SNR=18  dB  using  a  Spatial  Angle  verification  test  statistic  zv. 


Figure  A.  17:  ROC  curves  and  EER  for  Rogue  WiMAX  MS  device  MS9993  at 
SNR= 18  dB  using  the  a  Spatial  Angle-times-Normalized  Euclidean  Distance  veri¬ 
fication  test  statistic  zv. 
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Figure  A.  18:  ROC  curves  and  EER  for  Rogue  WiMAX  MS  device  MSC2FF  at 
SNR— 18  dB  using  a  Spatial  Angle-times-Normalized  Euclidean  Distance  verification 
test  statistic  zv. 


Figure  A. 19:  ROC  curves  and  EER  for  Rogue  WiMAX  MS  device  MSDAB9  at 
SNR— 18  dB  using  a  Spatial  Angle-times-Normalized  Euclidean  Distance  verification 
test  statistic  zv. 
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Figure  A. 20:  ROC  curves  and  EER  for  Rogue  WiMAX  MS  device  MSDAC5  at 
SNR— 18  dB  using  a  Spatial  Angle-times-Normalized  Euclidean  Distance  verification 
test  statistic  zv. 


Figure  A. 21:  ROC  curves  and  EER  for  Rogue  WiMAX  MS  device  MSDDBF  at 
SNR— 18  dB  using  a  Spatial  Angle-times-Normalized  Euclidean  Distance  verification 
test  statistic  zv. 
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A. 2  WiFi  Device  ID  Verification 


Here  are  the  device  verification  results  for  WiFi  devices,  N4UW  and  N4PX,  not 


shown  in  Section  4.2.4. 


(a)  WiFi  device:  N4UW. 


False  Verification  Rate  (FVR) 


(b)  WiFi  device:  N4PX. 

Figure  A. 22:  ROC  curves  and  EER  for  N4UW  and  N4PX  WiFi  devices  at 
SNRa=[12,  15, 18]  dB. 
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